I need to renew the CA root certificate of my Windows 2008 Enterprise Certification Authority with a longer key size. I have modifed the capolicy.inf file. The plan is to renew the certificate with a new key pair. Then the domain controllers should automatically renew their certificates and I will re-enroll certificate holders for the other certificate templates. I am still a little unsure about the implications. Is there a period of time between renewing the certificate and re-enrolling some of the server certificates, like the ones used by our RADIUS (NPS) servers for PEAP authentication? Do I need to wait long enough for the new certificate to be pushed out via group policy? What about clients that connect very infrequently or only via vpn? When they finally do come onsite after a couple months aren't they going to have a problem authenticating because they wont trust the new CA cert yet which means they also won't trust the new certificate used by the RADIUS/NPS Server during PEAP authentication, right? Also any risk of domain authentication issues, LDAP over SSL, since the DCs will probably renew their certificates much quicker than the clients? Isn't their refresh interval 5 minutes vs. 90 minutes for clients?

> Then the domain controllers should automatically renew their certificates and I will re-enroll certificate holders for the other certificate templates. these certificates will be renewed only when existing CA certificate expires. > Do I need to wait long enough for the new certificate to be pushed out via group policy? up to 1,5 hours. > When they finally do come onsite after a couple months aren't they going to have a problem authenticating because they wont trust the new CA cert yet which means they also won't trust the new certificate used by the RADIUS/NPS Server during PEAP authentication, right? you should update these clients with new CA certificate. Otherwise, VPN connection will fail, because new root CA certificate is not trusted yet. > Also any risk of domain authentication issues, LDAP over SSL, since the DCs will probably renew their certificates much quicker than the clients? Isn't their refresh interval 5 minutes vs. 90 minutes for clients? you should wait about 1,5 hours after CA certificate renewal and then issue new certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.