This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
After running low on resources in one of our VM environments a script was run to identify all offline VMs and delete them. This deleted my "Offline ROOT CA" servers in that environment.
My basic understanding of the two tier online / offline model is that this is not really a problem at all until it comes time to re-issue my "Online Subordinate CA" certificate...which is still 4Yrs 9Mnths away.
My question is this...when that time comes...
Can I simply roll out a new VM with the same name, IP Address and CDP / AIA configuration and carry on as though nothing happened?
Create a new REQ file on the Online Subordinate, Issue it that REQ on the rebuilt Offline ROOT, complete the REQ on the Online Subordinate and carry on as though nothing has happened?
What happens to the CRL in terms of the expired ROOT CA cert?
Can I simply script the deletion of that expired ROOT CA cert on my servers and carry on - business as usual?
Thanks in advance,
durrie.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
We are checking in to see if the provided information was helpful. If the replies as above are helpful, we would appreciate you to mark them as answers.
Please let us know if you would like further assistance. Thanks.
Best Regards,
Hannah Xiong
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Can I simply roll out a new VM with the same name, IP Address and CDP / AIA configuration and carry on as though nothing happened?
these property matching is not necessary, since they won't replace dead root CA. Essentially, you have to rebuild new root CA, deploy it to all clients and then renew issuing CA certificate.
Create a new REQ file on the Online Subordinate, Issue it that REQ on the rebuilt Offline ROOT, complete the REQ on the Online Subordinate and carry on as though nothing has happened?
this is the way to go. However, at some point, issuing CA will notice that one of previous certificates cannot be validated because of expired CRL. You can't renew CRL for deleted CA. But you don't need to rebuild issuing CA completely, just renew its certificate. I would suggest to renew all client certificates after renewing issuing CA, so all active and in use certificates chain up to new and existing root CA.
Can I simply script the deletion of that expired ROOT CA cert on my servers and carry on - business as usual?
yes. But you do that only when new offline Root CA is completely deployed.