MORE INFORMATION

Renewing a CA certificate in Windows 2000 is essentially the same as installing a new CA certificate. When you renew a CA certificate, you must distribute the new CA certificate to all domain clients so that they can establish a trust with the new CA certificate. Also, any servers that previously enrolled with the original CA certificate, such as Web servers, need to be updated to trust the new CA certificate.

You may renew a CA certificate by using either the same key pair, or a newly generated key pair. In either case, the CA certificate must be distributed to and trusted by all clients and servers that are end entities of the CA certificate, even if the CA certificate name and key pair do not change during renewal.

NOTE: An exception to this rule is if the CA certificate was originally configured to not include the issuer and serial number in the Authority Key Identifier (AKI) extension of the certificates it has issued. Because this is not the default configuration for the CA certificate, it is not likely that the administrator has set up the CA certificate to not include issuer and serial number in the AKI.

For additional information about digital certificates, click the article numbers below to view the articles in the Microsoft Knowledge Base: