This isīecause all these client certificates was signed by the same CA signing key and both CA certs produces the same signature for the identical data. In that case CA will maintain the same CRL's and clients will be able to chain previously (prior to CA cert renewal) and newly (after CA cert renewal) issued certificates up to new CA certificate. Since the key pair remains the same, theĬA Key Index value is not changed. Each time you renew CA certificate (regardless with existing or new key pair),ĬA Certificate Index is increased by 1: 0.0, 1.0, 2.0, etc. These values are separated by dot, for example: 0.0, 2.1, 3.3, etc. This extension consist of two values:ĬA Certificate Index and CA Key Index.
Let's take a look to a CA Version extension.ĬA Version extension allows to build correct chains in the case when particular CA has more than one certificate. And changes another extension:ĬA Version. New extension: Previous CA certificate hash that will contains previous certificate Thumbprint extension value.
In other words this renewal just increases current CA certificate validity period. ValidFrom ( NotBefore) and ValidTo ( NotAfter). When you renew CA cert with existing key pair new certificate will have following values: In addition, new CA cert ValidFrom (NotBefore) field will contain the value when existing CA key pair was generated.
You just replace old CRT file in AIA download locations. As the result all previously issued certificates will chain up to The certificate will contain the same public and private key. When you renew CA certificate with existing key pair, nothing important in certificate is changed. At first we discuss about CA certificate renewal with existing key pair. In this article I will discuss about Root CA certificate renewal with new and existing key pair.