Hi, our root and issuing CA's needs renewing because the lifetime is being reduced.
The current offline root CA is based on a Windows 2003 which does not support SHA-2. So I had a clever idea to set up a new root (Windows 2019)
I have done so now and published the new root certificate and crl in the domain.
However I am very uncertain what will happen now if I choose to renew the publishing CA (intermediate) with the new root? I am not going to revoke any older Root or Intermediate since they have not been compromised.
We rely on device certificates that has been issued with the older root.
In the NPS when it renews the RAS certificate it will not be the same chain for example?
A little guidance here would be very much appreciated.