Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alex Suvoroff2015-07-01 14:58:33
System administration
Alex Suvoroff, 2015-07-01 14:58:33

Is it possible to renew the certificate of a subordinate CA without losing the validity of certificates already issued by it?

Greetings comrades!
Actually the situation. The domain network has the following PKI structure:
ebb0ed5d0fbb4bfdaf31d9936b6ee734.PNG
by coincidence, the first two CAs were lost forever, while their functions are performed by subordinate CAs of another site, but! As you can see from the figure, they have a warning about the expiration of the certificate. Accordingly, you need to request a new certificate from the Root CA.
after requesting a certificate from the Root CA:
1. Will the certificates that have already been issued to computers and users remain valid? (I plan to request for the old pair of keys)
2. Will the already issued certificate be updated, or will a new certificate be issued and the old certificate revoked?
I read the update manuals, it was not entirely clear about the fate of already issued certificates. I realized that when generating a certificate from a new key pair, it will be necessary to revoke the old ones (again, it is not entirely clear whether they will be revoked after the new ones are issued, or the new ones will be received after the revocation).
PS A system has been deployed on the network that, by the validity of the certificate, allows the PC to enter the local network, as soon as the certificate ceases to be valid, the PC drops out of the network. Therefore, after revoking old certificates without issuing new ones, the system automatically turns all PCs into a pumpkin

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Alex Suvoroff, 2015-07-13
@Axel_L

In general, the issue was resolved. Requested a certificate from the root CA using the old key pair. The request was made through the Certification Center snap-in.
By the way, some computers automatically changed the certificate (rather, it just automatically requested a new one after the expiration of the old one, just after the center certificate was renewed), but some computers remained with the old certificate (these computers made a request before updating the certificate of the subordinate CA). To assign them an updated certificate "handles", and not wait for a second request from them, you need to go to the snap-in
"Certification Authority" -> Unsuccessful requests, in the "Status Code" field there will be a message stating that the certificate for the computer was not issued due to the issue period, which is longer than the validity period of the certificate itself (I don’t remember the exact description, the issuance template should be "Computer " or "Machine"). Select all requests with this code, and in the context menu select: All tasks -> Issue. After that, an updated certificate will be issued

Similar questions
X
xmoonlight2019-07-27 01:34:09
How to install Debian 10 with UEFI Secure Boot using Shim bootloader? 0Reply
Y
Yaroslav2019-07-27 10:38:12
How to run a script shortly after a line appears in the log file? 2Reply
B
BestJS2017-03-01 10:59:58
Why doesn't nohup work correctly? 3Reply
H
Heyzi2017-03-03 10:54:16
Error in Active Directory Administrative Center? 0Reply
M
Mortar1on2017-03-03 19:00:24
Can't run virtual server on virtual host? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question