Hey everyone! I'm in a bit of a bind here. Our enterprise's domain root CA is set to expire on 6/18, and I just renewed it. Now I see both the old (#0) and new (#1) certificates listed, and I've added the new one to our Default Domain Policy for distribution.
We also have machine certificates for our remote VPN users (who connect using Cisco AnyConnect) that are currently using the old root certificate. I'm really hoping to prevent 100 users from flooding the helpdesk crying that they can't connect once the old certificate expires. What do you guys think? Any advice or insights would be super helpful! Thanks!
3 Answers
So here's the deal: the root CA is like the foundation of a building. If it expires, everything above it fails too. You have a new root CA now which is essentially a new foundation. You need to also create new issuing CAs (like building new rooms) and then move the existing machine certificates to this new setup before they expire. Keeping the same private key helps, but you should manually verify everything works as the system may not always handle it correctly on its own.
To avoid any issues, make sure you trust both the old and new root certificates on the Cisco AnyConnect until the 18th. Also, ensure that user machines trust both, and push the new certs before it expires!
If your root certificate expires soon, check if all your machine certificates share the same expiration date. If they do, you could face major issues since they can't be valid beyond the CA's validity. The ASA/Firepower might start rejecting all VPN certs unless you issue new machine certs from the new root CA before expiration. Be prepared to deploy new certs to your machines if needed!
Thankfully, this is the only cert issued, and it's our Root-CA for the Domain. We're currently testing if users will need to select the new certificate when prompted, but in our tests, the new cert seems to take over the old one just fine.
I love the ELI5! I simply renewed the domain certificate and now have both certificates in the chain. Since I kept the same private key, I’m hoping it will work smoothly. The machine certificates are distributed automatically via GPO, so they should get out there in time.