How to Rotate a Certificate Authority Without Outage

Overview - How to Renew a Certificate Authority Without Outage

Renewing a Certificate Authority (CA) is a critical task that must be performed without causing disruptions to the services that rely on the certificates issued by the CA. This guide outlines the steps necessary to rotate a private CA seamlessly, ensuring that all dependent systems continue to function without interruption.

Differences Between Renewing a Root CA and a Subordinate CA

When renewing a Root CA, the process is more complex and requires careful planning. The Root CA is the trust anchor for all certificates issued by it and its subordinate CAs. Renewing a Root CA basically means that you have to issue the new Root CA certificate, distribute it to all clients, and ensure that all services trust the new Root CA. Then you can start issuing certificates from the new Root CA.

In contrast, renewing a Subordinate CA is generally simpler. The Subordinate CA is already trusted due to it chaining up to the Root CA, so the renewal process typically involves issuing a new certificate for the Subordinate CA and updating any services that rely on it (For example the Intune SCEP CA has to be updated to the new certificate). However, it’s still important to ensure that the new Subordinate CA certificate is properly distributed and trusted by all dependent systems (while it is not necessary to add the intermediate CA to all clients since it can be pulled by the Authority Information Access (AIA) extension, it is still recommended to add it to speed up validation).

What are the Steps to Renew a Certificate Authority Without Outage

  1. Check where your CA is used Identify all services and systems that rely on the CA for certificate issuance (e.g., Intune, VPN, Wi-Fi (RADIUS), Active Directory, Entra ID CBA, etc.).
  2. Issue a new CA certificate Use your PKI solution to issue a new certificate for the CA. If you are using EZCA, you can do this by navigating to the CA in the EZCA portal, click “View Details” and clicking on “Renew CA”. If you are using a different PKI solution, please please please do not renew using the same key pair, this can cause an outage since the parent CA is pulled based on the public key, and if the public key is the same, it can use the old expired certificate and cause a validation issue.
  3. Distribute the new CA certificate Ensure that the new CA certificate is distributed to all systems and services that rely on it. This can be done through Group Policy, MDM solutions like Intune, or manual installation. Note: Do not delete the old CA, this will break your authentication with the certificates that were issued by the old CA, just let it run its course and once all the certificates are issued by the new CA you can remove it (or you can leave it and old expired CA in a cert store doesn’t do no harm)
  4. If using SCEP, update the SCEP CA If you are using SCEP for certificate issuance, update the SCEP CA to use the new CA certificate. This is crucial to ensure that devices can continue to request certificates without interruption.
  5. Issue new test certificates to test systems Before rolling out the new CA certificate widely, issue test certificates to a few test systems to ensure that everything is working correctly and that you didn’t miss any place where you must push the CA certificate.
  6. Roll out the new CA certificate Once you have verified that the new CA certificate works correctly with the test systems, roll it out to all systems and services that rely on the CA.