Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Renewing a Subordinate CA Certificate for firewall, issued by MS Server Enterprise CA

L1 Bithead



I've been looking all over for some guidance on this, without much joy.


I am trying to renew a subordinate-CA certificate on a firewall, that was issued by a Windows Server Enterprise CA.


Obviously there is no Renew function on the firewall for that cert as it was externally issued - and it appears on Windows server you can only renew Subordinate-CA certificates for domain servers (I think?).


So based on the above, I generated a new certificate request, matching the name of the original (the certificate then shows as pending), and went through the signing process the same as last time and re-imported.  The certificate shows as having the expected new date and shows as valid, the chain hierarchy remains intact in the GUI, however, all the certificates signed by the previous certificate no longer work at all, for any function, SSL Decryption, GlobalProtect, Secure comms etc, and all need to be re-issued/signed by the new certificate.


So I dugout the original certificate request from a few years ago, and tried to submit that instead, and it also seems to present me with a new certificate rather than one maintaining the serial number.

So what is the process to renew the certificate without invalidating the signed certificates?


Cyber Elite
Cyber Elite


I don't believe you really have many options to properly renew a sub-ca. I personally wouldn't have done what you did and use the same certificate name, instead using a new certificate name so that the current certificate and the new certificate a distinctly different things from the firewall's perspective. This allows you to begin transitioning to the new certificate while maintaining the old certificate until everything has been migrated over or it expires. 

Actually I've found an advantage to using the original CSR; you can renew the child certificates then using the renew button, compared to when you use a new CSR for the Sub-CA, whenever you try renew the child certs it can't sign then, presumably because of the private key change, so you have to generate new certificates individually for each one, doing all the attributes again and typing out names to match etc.  If you use the Sub-CA with the original CSR though it allows a single click renew, much quicker and easier.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!