root ca renewalkeylength change

  • Thread starter ritchie1230@gmail.com
  • Start date
R

ritchie1230@gmail.com

Hello,

I recently installed a certification authority (windows server 2003 R2
SP2) consisting of a standalone root ca and one enterprise subordinate
issuing ca.

I installed the root ca with a private/public key length of RSA 4096
bits and would like to change it to RSA 2048 bits.

I understand that I could change it by changing the value in the
CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
renewal the root ca.

I would like to know if this can be achieved by renewing the root ca
with the same key, or do I have to choose a new key.

Secondly, if I need to choose a new key, do I have to renew my issuing
certification authority and request a new certificate from the root.

Thanks,
 
B

Brian Komar

Answers inline...

On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1230@gmail.com wrote:

> Hello,
>
> I recently installed a certification authority (windows server 2003 R2
> SP2) consisting of a standalone root ca and one enterprise subordinate
> issuing ca.
>
> I installed the root ca with a private/public key length of RSA 4096
> bits and would like to change it to RSA 2048 bits.
>
> I understand that I could change it by changing the value in the
> CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
> renewal the root ca.

Yes, this is the *only* way to do it, short of reinstalling the entire CA
hierarchy (new root CA, and new issuing CA).
>
> I would like to know if this can be achieved by renewing the root ca
> with the same key, or do I have to choose a new key.
OK.... Think about this one carefully. You want to change to a 2048 bit
key... And you want to use the same 4096 bit key to accomplish this... And
this will work because....
Seriously, the answer is no. You cannot create a 2048 bit key out of an
existing 4096 bit key.
>
> Secondly, if I need to choose a new key, do I have to renew my issuing
> certification authority and request a new certificate from the root.

If you are doing this because certain apps are failing due to inability to
recognize the 4096 bit root CA (Java, Cisco VPN 3000, Nortel Contivity are
common culprits), you will have to renew the issuing CA certificate, and
then request new certificates for *all* clients (users and machine).

>
> Thanks,
No Problem.
 
R

ritchie1230@gmail.com

On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> Answers inline...
>
> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> > Hello,
>
> > I recently installed a certification authority (windows server 2003 R2
> > SP2) consisting of a standalonerootcaand one enterprise subordinate
> > issuingca.
>
> > I installed therootcawith a private/public key length of RSA 4096
> > bits and would like to change it to RSA 2048 bits.
>
> > I understand that I could change it by changing the value in the
> > CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
> >renewaltherootca.
>
> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> hierarchy (newrootCA, and new issuingCA).
>
> > I would like to know if this can be achieved by renewing therootca
> > with the same key, or do I have to choose a new key.
>
> OK.... Think about this one carefully. You want to change to a 2048 bit
> key... And you want to use the same 4096 bit key to accomplish this... And
> this will work because....
> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> existing 4096 bit key.
>
>
>
> > Secondly, if I need to choose a new key, do I have to renew my issuing
> > certification authority and request a new certificate from theroot.
>
> If you are doing this because certain apps are failing due to inability to
> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> common culprits), you will have to renew the issuingCAcertificate, and
> then request new certificates for *all* clients (users and machine).
>
>
>
> > Thanks,
>
> No Problem.

Thank you for your response,

I have another question regarding the renewal at the Issuing CA. I
expect to keep the key length the same at the issuing ca.

Do I need to generate a new public and private key pair, or can I
reuse the current public and private key pair?

Thank you,
 
B

Brian Komar

On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1230@gmail.com wrote:

> On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
>> Answers inline...
>>
>> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
>>> Hello,
>>
>>> I recently installed a certification authority (windows server 2003 R2
>>> SP2) consisting of a standalonerootcaand one enterprise subordinate
>>> issuingca.
>>
>>> I installed therootcawith a private/public key length of RSA 4096
>>> bits and would like to change it to RSA 2048 bits.
>>
>>> I understand that I could change it by changing the value in the
>>> CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
>>>renewaltherootca.
>>
>> Yes, this is the *only* way to do it, short of reinstalling the entireCA
>> hierarchy (newrootCA, and new issuingCA).
>>
>>> I would like to know if this can be achieved by renewing therootca
>>> with the same key, or do I have to choose a new key.
>>
>> OK.... Think about this one carefully. You want to change to a 2048 bit
>> key... And you want to use the same 4096 bit key to accomplish this... And
>> this will work because....
>> Seriously, the answer is no. You cannot create a 2048 bit key out of an
>> existing 4096 bit key.
>>
>>
>>
>>> Secondly, if I need to choose a new key, do I have to renew my issuing
>>> certification authority and request a new certificate from theroot.
>>
>> If you are doing this because certain apps are failing due to inability to
>> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
>> common culprits), you will have to renew the issuingCAcertificate, and
>> then request new certificates for *all* clients (users and machine).
>>
>>
>>
>>> Thanks,
>>
>> No Problem.
>
> Thank you for your response,
>
> I have another question regarding the renewal at the Issuing CA. I
> expect to keep the key length the same at the issuing ca.
>
> Do I need to generate a new public and private key pair, or can I
> reuse the current public and private key pair?
>
> Thank you,

You can re-use the key pair in this case.
Brian
 
R

ritchie1230@gmail.com

On Jul 9, 11:42?am, Brian Komar <bkom...@identit.nospam.ca> wrote:
> On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1...@gmail.com wrote:
> > On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> >> Answers inline...
>
> >> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> >>> Hello,
>
> >>> I recently installed a certification authority (windows server 2003 R2
> >>> SP2) consisting of a standalonerootcaand one enterprise subordinate
> >>> issuingca.
>
> >>> I installed therootcawith a private/public key length of RSA 4096
> >>> bits and would like to change it to RSA 2048 bits.
>
> >>> I understand that I could change it by changing the value in the
> >>> CAPolicy.infRenewalKeyLength=2048 (from 4096) and performing a
> >>>renewaltherootca.
>
> >> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> >> hierarchy (newrootCA, and new issuingCA).
>
> >>> I would like to know if this can be achieved by renewing therootca
> >>> with the same key, or do I have to choose a new key.
>
> >> OK.... Think about this one carefully. You want to change to a 2048 bit
> >> key... And you want to use the same 4096 bit key to accomplish this... And
> >> this will work because....
> >> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> >> existing 4096 bit key.
>
> >>> Secondly, if I need to choose a new key, do I have to renew my issuing
> >>> certification authority and request a new certificate from theroot.
>
> >> If you are doing this because certain apps are failing due to inability to
> >> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> >> common culprits), you will have to renew the issuingCAcertificate, and
> >> then request new certificates for *all* clients (users and machine).
>
> >>> Thanks,
>
> >> No Problem.
>
> > Thank you for your response,
>
> > I have another question regarding the renewal at the IssuingCA. I
> > expect to keep the key length the same at the issuingca.
>
> > Do I need to generate a new public and private key pair, or can I
> > reuse the current public and private key pair?
>
> > Thank you,
>
> You can re-use the key pair in this case.
> Brian- Hide quoted text -
>
> - Show quoted text -

Thank you again,

I hope I am not wearing out my welcome with this post,

I ran through the renewal process in our lab without a hitch,

As I am going through the process in production, I go through the
process of renewing the root ca, transfer the updated certificate
file to the subordinate ca, publish it to Active Directory,

publish the CRL to Active Directory,

Copy the updated .crt and crl files to the designated http location.

When I attempt to renew the issuing ca (with a new key pair "same as
in the lab") The process looks ok, the certificate services restart
and generate the following error message

"the system cannot find the path specified 0x80070002 (WIN32:2)

Any ideas on what may be causing this error,

Thanks,
 
R

ritchie1230@gmail.com

On Jul 10, 2:05 pm, ritchie1...@gmail.com wrote:
> On Jul 9, 11:42?am, Brian Komar <bkom...@identit.nospam.ca> wrote:
>
>
>
>
>
> > On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1...@gmail.com wrote:
> > > On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> > >> Answers inline...
>
> > >> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> > >>> Hello,
>
> > >>> I recently installed a certification authority (windows server 2003 R2
> > >>> SP2) consisting of a standalonerootcaand one enterprise subordinate
> > >>> issuingca.
>
> > >>> I installed therootcawith a private/public key length of RSA 4096
> > >>> bits and would like to change it to RSA 2048 bits.
>
> > >>> I understand that I could change it by changing the value in the
> > >>> CAPolicy.infRenewalKeyLength=2048 (from 4096) and performing a
> > >>>renewaltherootca.
>
> > >> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> > >> hierarchy (newrootCA, and new issuingCA).
>
> > >>> I would like to know if this can be achieved by renewing therootca
> > >>> with the same key, or do I have to choose a new key.
>
> > >> OK.... Think about this one carefully. You want to change to a 2048 bit
> > >> key... And you want to use the same 4096 bit key to accomplish this... And
> > >> this will work because....
> > >> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> > >> existing 4096 bit key.
>
> > >>> Secondly, if I need to choose a new key, do I have to renew my issuing
> > >>> certification authority and request a new certificate from theroot.
>
> > >> If you are doing this because certain apps are failing due to inability to
> > >> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> > >> common culprits), you will have to renew the issuingCAcertificate, and
> > >> then request new certificates for *all* clients (users and machine).
>
> > >>> Thanks,
>
> > >> No Problem.
>
> > > Thank you for your response,
>
> > > I have another question regarding the renewal at the IssuingCA. I
> > > expect to keep the key length the same at the issuingca.
>
> > > Do I need to generate a new public and private key pair, or can I
> > > reuse the current public and private key pair?
>
> > > Thank you,
>
> > You can re-use the key pair in this case.
> > Brian- Hide quoted text -
>
> > - Show quoted text -
>
> Thank you again,
>
> I hope I am not wearing out my welcome with this post,
>
> I ran through the renewal process in our lab without a hitch,
>
> As I am going through the process in production, I go through the
> process of renewing therootca, transfer the updated certificate
> file to the subordinateca, publish it to Active Directory,
>
> publish the CRL to Active Directory,
>
> Copy the updated .crt and crl files to the designated http location.
>
> When I attempt to renew the issuingca(with a new key pair "same as
> in the lab") The process looks ok, the certificate services restart
> and generate the following error message
>
> "the system cannot find the path specified 0x80070002 (WIN32:2)
>
> Any ideas on what may be causing this error,
>
> Thanks,- Hide quoted text -
>
> - Show quoted text -

Correction:

The error was as follows,

"The system cannot find the path specified. 0x80070003 (WIN32: 3)"

Note: I am using a central website location for http publication, not
the default location on the issuing CA's

Thanks,
 
R

ritchie1230@gmail.com

On Jul 9, 11:42 am, Brian Komar <bkom...@identit.nospam.ca> wrote:
> On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1...@gmail.com wrote:
> > On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> >> Answers inline...
>
> >> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> >>> Hello,
>
> >>> I recently installed a certification authority (windows server 2003 R2
> >>> SP2) consisting of a standalonerootcaand one enterprise subordinate
> >>> issuingca.
>
> >>> I installed therootcawith a private/public key length of RSA 4096
> >>> bits and would like to change it to RSA 2048 bits.
>
> >>> I understand that I could change it by changing the value in the
> >>> CAPolicy.infRenewalKeyLength=2048 (from 4096) and performing a
> >>>renewaltherootca.
>
> >> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> >> hierarchy (newrootCA, and new issuingCA).
>
> >>> I would like to know if this can be achieved by renewing therootca
> >>> with the same key, or do I have to choose a new key.
>
> >> OK.... Think about this one carefully. You want to change to a 2048 bit
> >> key... And you want to use the same 4096 bit key to accomplish this... And
> >> this will work because....
> >> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> >> existing 4096 bit key.
>
> >>> Secondly, if I need to choose a new key, do I have to renew my issuing
> >>> certification authority and request a new certificate from theroot.
>
> >> If you are doing this because certain apps are failing due to inability to
> >> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> >> common culprits), you will have to renew the issuingCAcertificate, and
> >> then request new certificates for *all* clients (users and machine).
>
> >>> Thanks,
>
> >> No Problem.
>
> > Thank you for your response,
>
> > I have another question regarding the renewal at the Issuing CA. I
> > expect to keep the key length the same at the issuing ca.
>
> > Do I need to generate a new public and private key pair, or can I
> > reuse the current public and private key pair?
>
> > Thank you,
>
> You can re-use the key pair in this case.
> Brian- Hide quoted text -
>
> - Show quoted text -

Hello,

I found the solution to this issue,

When I installed the issuing ca(s), at the point where you are
prompted to save the request to file (it defaults to C:\issuing ca-
name.req). Instead, I was saving it to a removable media drive
location.

When I went to renew, that location was not available.

There is a reference in the Microsoft Certificate Services build guide
pg 55. that Notes that during this step: do not save the file to
removable media because it stores this location in the registry. I
don't have the guide on hand, but it gives you the registry path that
is referenced. So if that path is not available at renewal time, the
renewal will fail with the error I received above.

This is the system path it could not find.

Thanks again,
 
You must log in or register to reply here.

Similar threads

S
When issuing Enterprise Root-CA, it shows "Active Directory Certificate Services could not connect to Global Catalog Server"
Replies
0
Views
19
Samuel_TRX
S
G
Question about PKI and Subordinate Authority Certificate
Replies
0
Views
43
Gustavo Garcia5
G
I
Automatic installation of an Enterprise CA on domain-joined workstations
Replies
0
Views
33
imprise
I
W
Can I sign a CSR with my CA without any templates? Windows server 2019
Replies
0
Views
40
whye keat foo
W
M
After migrating CA to new server, CDP Location unable to download
Replies
0
Views
33
Mattchappy616
M
Back
Top Bottom