topic Re: Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA in General Topics

Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA

tonyrobson — Thu, 04 Nov 2021 18:40:28 GMT

Hi,

I've been looking all over for some guidance on this, without much joy.

I am trying to renew a subordinate-CA certificate on a firewall, that was issued by a Windows Server Enterprise CA.

Obviously there is no Renew function on the firewall for that cert as it was externally issued - and it appears on Windows server you can only renew Subordinate-CA certificates for domain servers (I think?).

So based on the above, I generated a new certificate request, matching the name of the original (the certificate then shows as pending), and went through the signing process the same as last time and re-imported. The certificate shows as having the expected new date and shows as valid, the chain hierarchy remains intact in the GUI, however, all the certificates signed by the previous certificate no longer work at all, for any function, SSL Decryption, GlobalProtect, Secure comms etc, and all need to be re-issued/signed by the new certificate.

So I dugout the original certificate request from a few years ago, and tried to submit that instead, and it also seems to present me with a new certificate rather than one maintaining the serial number.

So what is the process to renew the certificate without invalidating the signed certificates?

Re: Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA

BPry — Fri, 05 Nov 2021 03:10:15 GMT

@tonyrobson,

I don't believe you really have many options to properly renew a sub-ca. I personally wouldn't have done what you did and use the same certificate name, instead using a new certificate name so that the current certificate and the new certificate a distinctly different things from the firewall's perspective. This allows you to begin transitioning to the new certificate while maintaining the old certificate until everything has been migrated over or it expires.

Re: Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA

tonyrobson — Fri, 05 Nov 2021 15:01:24 GMT

Actually I've found an advantage to using the original CSR; you can renew the child certificates then using the renew button, compared to when you use a new CSR for the Sub-CA, whenever you try renew the child certs it can't sign then, presumably because of the private key change, so you have to generate new certificates individually for each one, doing all the attributes again and typing out names to match etc. If you use the Sub-CA with the original CSR though it allows a single click renew, much quicker and easier.