Decommission AD Certificate Services Intermediate CA Server without revoking active certificates

Question

I have a 2016 Active DIrectory Certificate Services Intermediate CA server that has been replaced with a Server 2022 server. I have a handful of active certificates that still remain on the old Intermediate CA with a 10 year expiration date (New Intermediate CA server server does not have a certificate template with that long of a validity period). I know the best practice is that all active certificates be revoked prior to decommissioning however I don't want to revoke the certs due to the high risk of affecting production being that they are on legacy systems. I would rather issue new certs when the server/appliance is replaced than issue a new certificate.

I would change the CRL Publication Date one day past the the lifetime of the last of the last cert to expire and then proceed on with decommissioning the Intermediate CA server.

What happens to the active certs if I decommission the Intermediate CA server without revoking the remaining active certs? Will the certs still work since the Root server is still active and the Intermediate CA server certificate has not been revoked from the root?

Answer 1

Yes, the certificates issued by the old Intermediate CA will continue to work as long as:

1. The Root CA is still active – Since the Intermediate CA’s certificate is issued by the Root CA and remains valid, the issued end-entity certificates are still trusted.
2. The CRL (Certificate Revocation List) remains accessible – If the CRL URL of the old Intermediate CA remains reachable and does not list the certificates as revoked, they will not be considered revoked.
3. No changes to trust chains occur – If the Root CA’s trust chain remains intact and the old Intermediate CA’s certificate is not revoked from the Root CA, clients will still trust certificates issued by it.

What happens if you decommission the intermediate CA?

• Certificates continue to work: As long as the Intermediate CA’s certificate remains valid and the CRL is available, the issued certificates will still be trusted by clients.
• CRL becomes stale over time: If clients check the CRL and see that it is outdated (expired beyond its next update date), they may reject the certificate depending on their revocation checking settings.
• OCSP (if configured) will stop working: If you used Online Certificate Status Protocol (OCSP) for revocation checking, it will no longer be able to provide status updates for certificates issued by the old Intermediate CA.

Your approach (extending CRL publication date) If you extend the CRL publication date beyond the expiration of the last issued certificate, it should prevent issues with stale revocation lists. However, you’ll need to ensure that:

• The CRL file remains accessible at the published location.
• Clients do not attempt to contact the decommissioned CA for status checks.
  In addition, keep in mind that you cannot extend the CRL publication date beyond the validity period of the CA certificate itself. The maximum CRL publication period is limited by the expiration date of the Intermediate CA certificate.

Instead of fully decommissioning the Intermediate CA, you can:

• Disable Certificate Issuance: Stop issuing new certificates but keep the CA running in a minimal state to maintain CRL updates.
• Migrate the CRL to Another Web Server: Publish the final CRL to an accessible web location so that clients can still retrieve revocation status without requiring the Intermediate CA to be online.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin