Windows 2000 Certificate Services and Public Key Infrastructure
Windows 2000 Certificate Services and Public Key Infrastructure |
|
If a CA's certificate expires, the CA can no longer provide certificate services. Before the CA certificate expires, you can use the Certification Authority console to renew the CA to provide uninterrupted certificate services. The interval that is required for CA renewal depends on the certificate life cycle that you designed for the public key infrastructure.
After you renew a CA, the CA continues to issue certificates by using the new CA certificate, and the cycle starts over. The prerenewal CA certificate remains trusted, so nonexpired certificates that were issued by the prerenewal CA continue to be trusted until they expire or are revoked.
You have the option of renewing the CA certificate by using the existing key set of the prerenewal CA certificate. However, the longer a key set is in use, the greater the risk the key set might be compromised. The risks of longer key lifetimes involves many complex factors, including key length and protection from attacks. For more information about risk factors for cryptographic keys, see "Cryptography for Network and Information Security" in this book.
To use the Certification Authority console to renew a CA certificate
The Renew CA Certificate dialog box appears.
For root CAs, the certificate is renewed and no further action is required. For subordinate CAs, the Complete this CA Installation dialog box appears.
The Parent CA box displays the name of the CA that is running on the server computer that you have selected.
The renewal request is sent to the parent CA to process. When the parent CA issues the new certificate, the CA certificate of the child CA is renewed.
Root CA certificates are renewed with the same lifetime as the original certificate. Subordinate CA certificates are renewed with the lifetime that is determined by the parent CA.