renewed offline root ca, published to ad, old cert still remains in client stores?


i have renewed offline root ca's cert same key. moved cert on subordinate , published ad "certutil -f -dspublish "ca01_ps inc. root ca(1).crt" rootca". see on root ca's certificate located in cn=certification authorities has been updated via 'whenchanged'. i've forced gpupdate on clients , see renewed root ca in client's "trusted root certification authorities\certificates" stores. awesome, worked.

two questions:

1)

i still see old root ca certificate in client stores? in adsi edit see 1 certificate in cn=certification authorities in pkiview see 2 (one ok , 1 untrusted root).

unless isn’t problem how go cleaning old root ca certificate clients' stores?

**** note: aware in picture below renewed root ca’s certificate has shorter validity period previous certificate. understand problems cause, in lab , when building had inconsistently capolicy.inf.

2)

when moving root ca’s new certificate aia locations delete old cert , rename new 1 exclude “(1)”. imagine because aia location extension <serverdnsname>_<caname><certificatename>.crt no (1).

thanks! 

your mistake removing previous version of root ca trusted root ca. in production, have numerous certificates chain previous version of root ca certificate, removing trust anchor invalidates certificates.

i renew new key pair there chain clarity.

brian



Windows Server  >  Security



Comments

Popular posts from this blog

CRL Revocation always failed

Failed to query the results of bpa xpath

0x300000d errors in Microsoft Remote Desktop client