|
Posted by Brian Komar on November 24, 2007, 7:01 pm
Please log in for more thread options
There really should not be any issues.
The catch though is that you could have certificates that were issued the
day before the enterprise CA was renewed that will need to validate the
previous enterprise CA certificate.
What you can do to protect against revocation checking issues is to issue a
new CRL at the 2nd tier (before you remove it) that is good for at least 1
year.
Make sure you publish the 1yr+ crl at the relevant CDP locations (and keep
the old 2nd CA certificate at the AIA locations) for at least a year
This should allow for a smooth transition
Brian
> Hi,
>
> My organisation have Enterprise CA in the AD domain. Its certificate will
> expire within 1 year from now, so we need to renew it. It is the "lowest"
> CA in tree level PKI structure (higher level Root and Sub are standalone
> CAs).
> Renewal event is an occasion to simplify our PKI structure. We don't
> really need two higer level CAs, two level should be enough. The best
> solution is to recertify Enterprise CA with Root CA not Sub CA as it was
> done before. Has anyone did it before ? Is there any danger that PKI
> services in domain will fail and become ususable ?
>
> Thank you.
>
> Martin.
>
>
>
| 
XML Sitemap