Microsoft KB Archive/246242

From BetaArchive Wiki
Knowledge Base

Information About Renewing a Certification Authority Certificate in Windows 2000

Article ID: 246242

Article Last Modified on 10/26/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

This article was previously published under Q246242


This article provides information about renewing a Certification Authority (CA) certificate in Windows 2000.


Renewing a CA certificate in Windows 2000 is essentially the same as installing a new CA certificate. When you renew a CA certificate, you must distribute the new CA certificate to all domain clients so that they can establish a trust with the new CA certificate. Also, any servers that previously enrolled with the original CA certificate, such as Web servers, need to be updated to trust the new CA certificate.

You may renew a CA certificate by using either the same key pair, or a newly generated key pair. In either case, the CA certificate must be distributed to and trusted by all clients and servers that are end entities of the CA certificate, even if the CA certificate name and key pair do not change during renewal.

NOTE: An exception to this rule is if the CA certificate was originally configured to not include the issuer and serial number in the Authority Key Identifier (AKI) extension of the certificates it has issued. Because this is not the default configuration for the CA certificate, it is not likely that the administrator has set up the CA certificate to not include issuer and serial number in the AKI.

For additional information about digital certificates, click the article numbers below to view the articles in the Microsoft Knowledge Base:

231881 How to Install/Uninstall a Public Key Certificate Authority

195724 Description of Digital Certificates

239706 Default Permission Settings for Enterprise Certificate Authority

Keywords: kbproductlink kbinfo KB246242