Hi, I've been looking all over for some guidance on this, without much joy. I am trying to renew a subordinate-CA certificate on a firewall, that was issued by a Windows Server Enterprise CA. Obviously there is no Renew function on the firewall for that cert as it was externally issued - and it appears on Windows server you can only renew Subordinate-CA certificates for domain servers (I think?). So based on the above, I generated a new certificate request, matching the name of the original (the certificate then shows as pending), and went through the signing process the same as last time and re-imported. The certificate shows as having the expected new date and shows as valid, the chain hierarchy remains intact in the GUI, however, all the certificates signed by the previous certificate no longer work at all, for any function, SSL Decryption, GlobalProtect, Secure comms etc, and all need to be re-issued/signed by the new certificate. So I dugout the original certificate request from a few years ago, and tried to submit that instead, and it also seems to present me with a new certificate rather than one maintaining the serial number. So what is the process to renew the certificate without invalidating the signed certificates?
... View more