root ca renewalkeylength change

  • Thread starter Thread starter ritchie1230@gmail.com
  • Start date Start date
R

ritchie1230@gmail.com

Hello,

I recently installed a certification authority (windows server 2003 R2
SP2) consisting of a standalone root ca and one enterprise subordinate
issuing ca.

I installed the root ca with a private/public key length of RSA 4096
bits and would like to change it to RSA 2048 bits.

I understand that I could change it by changing the value in the
CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
renewal the root ca.

I would like to know if this can be achieved by renewing the root ca
with the same key, or do I have to choose a new key.

Secondly, if I need to choose a new key, do I have to renew my issuing
certification authority and request a new certificate from the root.

Thanks,
 
Answers inline...

On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1230@gmail.com wrote:

> Hello,
>
> I recently installed a certification authority (windows server 2003 R2
> SP2) consisting of a standalone root ca and one enterprise subordinate
> issuing ca.
>
> I installed the root ca with a private/public key length of RSA 4096
> bits and would like to change it to RSA 2048 bits.
>
> I understand that I could change it by changing the value in the
> CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
> renewal the root ca.

Yes, this is the *only* way to do it, short of reinstalling the entire CA
hierarchy (new root CA, and new issuing CA).
>
> I would like to know if this can be achieved by renewing the root ca
> with the same key, or do I have to choose a new key.
OK.... Think about this one carefully. You want to change to a 2048 bit
key... And you want to use the same 4096 bit key to accomplish this... And
this will work because....
Seriously, the answer is no. You cannot create a 2048 bit key out of an
existing 4096 bit key.
>
> Secondly, if I need to choose a new key, do I have to renew my issuing
> certification authority and request a new certificate from the root.

If you are doing this because certain apps are failing due to inability to
recognize the 4096 bit root CA (Java, Cisco VPN 3000, Nortel Contivity are
common culprits), you will have to renew the issuing CA certificate, and
then request new certificates for *all* clients (users and machine).

>
> Thanks,
No Problem.
 
On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> Answers inline...
>
> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> > Hello,
>
> > I recently installed a certification authority (windows server 2003 R2
> > SP2) consisting of a standalonerootcaand one enterprise subordinate
> > issuingca.
>
> > I installed therootcawith a private/public key length of RSA 4096
> > bits and would like to change it to RSA 2048 bits.
>
> > I understand that I could change it by changing the value in the
> > CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
> >renewaltherootca.
>
> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> hierarchy (newrootCA, and new issuingCA).
>
> > I would like to know if this can be achieved by renewing therootca
> > with the same key, or do I have to choose a new key.
>
> OK.... Think about this one carefully. You want to change to a 2048 bit
> key... And you want to use the same 4096 bit key to accomplish this... And
> this will work because....
> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> existing 4096 bit key.
>
>
>
> > Secondly, if I need to choose a new key, do I have to renew my issuing
> > certification authority and request a new certificate from theroot.
>
> If you are doing this because certain apps are failing due to inability to
> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> common culprits), you will have to renew the issuingCAcertificate, and
> then request new certificates for *all* clients (users and machine).
>
>
>
> > Thanks,
>
> No Problem.

Thank you for your response,

I have another question regarding the renewal at the Issuing CA. I
expect to keep the key length the same at the issuing ca.

Do I need to generate a new public and private key pair, or can I
reuse the current public and private key pair?

Thank you,
 
On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1230@gmail.com wrote:

> On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
>> Answers inline...
>>
>> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
>>> Hello,
>>
>>> I recently installed a certification authority (windows server 2003 R2
>>> SP2) consisting of a standalonerootcaand one enterprise subordinate
>>> issuingca.
>>
>>> I installed therootcawith a private/public key length of RSA 4096
>>> bits and would like to change it to RSA 2048 bits.
>>
>>> I understand that I could change it by changing the value in the
>>> CAPolicy.inf RenewalKeyLength=2048 (from 4096) and performing a
>>>renewaltherootca.
>>
>> Yes, this is the *only* way to do it, short of reinstalling the entireCA
>> hierarchy (newrootCA, and new issuingCA).
>>
>>> I would like to know if this can be achieved by renewing therootca
>>> with the same key, or do I have to choose a new key.
>>
>> OK.... Think about this one carefully. You want to change to a 2048 bit
>> key... And you want to use the same 4096 bit key to accomplish this... And
>> this will work because....
>> Seriously, the answer is no. You cannot create a 2048 bit key out of an
>> existing 4096 bit key.
>>
>>
>>
>>> Secondly, if I need to choose a new key, do I have to renew my issuing
>>> certification authority and request a new certificate from theroot.
>>
>> If you are doing this because certain apps are failing due to inability to
>> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
>> common culprits), you will have to renew the issuingCAcertificate, and
>> then request new certificates for *all* clients (users and machine).
>>
>>
>>
>>> Thanks,
>>
>> No Problem.
>
> Thank you for your response,
>
> I have another question regarding the renewal at the Issuing CA. I
> expect to keep the key length the same at the issuing ca.
>
> Do I need to generate a new public and private key pair, or can I
> reuse the current public and private key pair?
>
> Thank you,

You can re-use the key pair in this case.
Brian
 
On Jul 9, 11:42?am, Brian Komar <bkom...@identit.nospam.ca> wrote:
> On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1...@gmail.com wrote:
> > On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> >> Answers inline...
>
> >> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> >>> Hello,
>
> >>> I recently installed a certification authority (windows server 2003 R2
> >>> SP2) consisting of a standalonerootcaand one enterprise subordinate
> >>> issuingca.
>
> >>> I installed therootcawith a private/public key length of RSA 4096
> >>> bits and would like to change it to RSA 2048 bits.
>
> >>> I understand that I could change it by changing the value in the
> >>> CAPolicy.infRenewalKeyLength=2048 (from 4096) and performing a
> >>>renewaltherootca.
>
> >> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> >> hierarchy (newrootCA, and new issuingCA).
>
> >>> I would like to know if this can be achieved by renewing therootca
> >>> with the same key, or do I have to choose a new key.
>
> >> OK.... Think about this one carefully. You want to change to a 2048 bit
> >> key... And you want to use the same 4096 bit key to accomplish this... And
> >> this will work because....
> >> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> >> existing 4096 bit key.
>
> >>> Secondly, if I need to choose a new key, do I have to renew my issuing
> >>> certification authority and request a new certificate from theroot.
>
> >> If you are doing this because certain apps are failing due to inability to
> >> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> >> common culprits), you will have to renew the issuingCAcertificate, and
> >> then request new certificates for *all* clients (users and machine).
>
> >>> Thanks,
>
> >> No Problem.
>
> > Thank you for your response,
>
> > I have another question regarding the renewal at the IssuingCA. I
> > expect to keep the key length the same at the issuingca.
>
> > Do I need to generate a new public and private key pair, or can I
> > reuse the current public and private key pair?
>
> > Thank you,
>
> You can re-use the key pair in this case.
> Brian- Hide quoted text -
>
> - Show quoted text -

Thank you again,

I hope I am not wearing out my welcome with this post,

I ran through the renewal process in our lab without a hitch,

As I am going through the process in production, I go through the
process of renewing the root ca, transfer the updated certificate
file to the subordinate ca, publish it to Active Directory,

publish the CRL to Active Directory,

Copy the updated .crt and crl files to the designated http location.

When I attempt to renew the issuing ca (with a new key pair "same as
in the lab") The process looks ok, the certificate services restart
and generate the following error message

"the system cannot find the path specified 0x80070002 (WIN32:2)

Any ideas on what may be causing this error,

Thanks,
 
On Jul 10, 2:05 pm, ritchie1...@gmail.com wrote:
> On Jul 9, 11:42?am, Brian Komar <bkom...@identit.nospam.ca> wrote:
>
>
>
>
>
> > On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1...@gmail.com wrote:
> > > On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> > >> Answers inline...
>
> > >> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> > >>> Hello,
>
> > >>> I recently installed a certification authority (windows server 2003 R2
> > >>> SP2) consisting of a standalonerootcaand one enterprise subordinate
> > >>> issuingca.
>
> > >>> I installed therootcawith a private/public key length of RSA 4096
> > >>> bits and would like to change it to RSA 2048 bits.
>
> > >>> I understand that I could change it by changing the value in the
> > >>> CAPolicy.infRenewalKeyLength=2048 (from 4096) and performing a
> > >>>renewaltherootca.
>
> > >> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> > >> hierarchy (newrootCA, and new issuingCA).
>
> > >>> I would like to know if this can be achieved by renewing therootca
> > >>> with the same key, or do I have to choose a new key.
>
> > >> OK.... Think about this one carefully. You want to change to a 2048 bit
> > >> key... And you want to use the same 4096 bit key to accomplish this... And
> > >> this will work because....
> > >> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> > >> existing 4096 bit key.
>
> > >>> Secondly, if I need to choose a new key, do I have to renew my issuing
> > >>> certification authority and request a new certificate from theroot.
>
> > >> If you are doing this because certain apps are failing due to inability to
> > >> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> > >> common culprits), you will have to renew the issuingCAcertificate, and
> > >> then request new certificates for *all* clients (users and machine).
>
> > >>> Thanks,
>
> > >> No Problem.
>
> > > Thank you for your response,
>
> > > I have another question regarding the renewal at the IssuingCA. I
> > > expect to keep the key length the same at the issuingca.
>
> > > Do I need to generate a new public and private key pair, or can I
> > > reuse the current public and private key pair?
>
> > > Thank you,
>
> > You can re-use the key pair in this case.
> > Brian- Hide quoted text -
>
> > - Show quoted text -
>
> Thank you again,
>
> I hope I am not wearing out my welcome with this post,
>
> I ran through the renewal process in our lab without a hitch,
>
> As I am going through the process in production, I go through the
> process of renewing therootca, transfer the updated certificate
> file to the subordinateca, publish it to Active Directory,
>
> publish the CRL to Active Directory,
>
> Copy the updated .crt and crl files to the designated http location.
>
> When I attempt to renew the issuingca(with a new key pair "same as
> in the lab") The process looks ok, the certificate services restart
> and generate the following error message
>
> "the system cannot find the path specified 0x80070002 (WIN32:2)
>
> Any ideas on what may be causing this error,
>
> Thanks,- Hide quoted text -
>
> - Show quoted text -

Correction:

The error was as follows,

"The system cannot find the path specified. 0x80070003 (WIN32: 3)"

Note: I am using a central website location for http publication, not
the default location on the issuing CA's

Thanks,
 
On Jul 9, 11:42 am, Brian Komar <bkom...@identit.nospam.ca> wrote:
> On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1...@gmail.com wrote:
> > On Jul 7, 9:38?pm, Brian Komar <bkom...@identit.nospam.ca> wrote:
> >> Answers inline...
>
> >> On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@gmail.com wrote:
> >>> Hello,
>
> >>> I recently installed a certification authority (windows server 2003 R2
> >>> SP2) consisting of a standalonerootcaand one enterprise subordinate
> >>> issuingca.
>
> >>> I installed therootcawith a private/public key length of RSA 4096
> >>> bits and would like to change it to RSA 2048 bits.
>
> >>> I understand that I could change it by changing the value in the
> >>> CAPolicy.infRenewalKeyLength=2048 (from 4096) and performing a
> >>>renewaltherootca.
>
> >> Yes, this is the *only* way to do it, short of reinstalling the entireCA
> >> hierarchy (newrootCA, and new issuingCA).
>
> >>> I would like to know if this can be achieved by renewing therootca
> >>> with the same key, or do I have to choose a new key.
>
> >> OK.... Think about this one carefully. You want to change to a 2048 bit
> >> key... And you want to use the same 4096 bit key to accomplish this... And
> >> this will work because....
> >> Seriously, the answer is no. You cannot create a 2048 bit key out of an
> >> existing 4096 bit key.
>
> >>> Secondly, if I need to choose a new key, do I have to renew my issuing
> >>> certification authority and request a new certificate from theroot.
>
> >> If you are doing this because certain apps are failing due to inability to
> >> recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
> >> common culprits), you will have to renew the issuingCAcertificate, and
> >> then request new certificates for *all* clients (users and machine).
>
> >>> Thanks,
>
> >> No Problem.
>
> > Thank you for your response,
>
> > I have another question regarding the renewal at the Issuing CA. I
> > expect to keep the key length the same at the issuing ca.
>
> > Do I need to generate a new public and private key pair, or can I
> > reuse the current public and private key pair?
>
> > Thank you,
>
> You can re-use the key pair in this case.
> Brian- Hide quoted text -
>
> - Show quoted text -

Hello,

I found the solution to this issue,

When I installed the issuing ca(s), at the point where you are
prompted to save the request to file (it defaults to C:\issuing ca-
name.req). Instead, I was saving it to a removable media drive
location.

When I went to renew, that location was not available.

There is a reference in the Microsoft Certificate Services build guide
pg 55. that Notes that during this step: do not save the file to
removable media because it stores this location in the registry. I
don't have the guide on hand, but it gives you the registry path that
is referenced. So if that path is not available at renewal time, the
renewal will fail with the error I received above.

This is the system path it could not find.

Thanks again,
 

Similar threads

AWS
Experience with Apple Business Manager Implementation
Replies
0
Views
214
AWS
AWS
AWS
How to restore backups from Amazon S3 to Azure SQL Managed Instance
Replies
0
Views
179
AWS
AWS
AWS
Bringing OpenAI into an Outlook add-in: a business mail generator
Replies
0
Views
379
AWS
AWS
AWS
September 2023 - Microsoft 365 US Public Sector Roadmap Newsletter
Replies
0
Views
167
AWS
AWS
AWS
Hive ransomware gets upgrades in Rust
Replies
0
Views
234
AWS
AWS
Back
Top