Hi, My CA on Windows server 2003 Standard edition SP1 (yes, SP1, there is a reason it's still on SP1) is expiring very soon. I'd like to renew with the same key pair to extend the validity of the root CA certificate. However, I've looking through documents but am not sure the effects on such CA renewal. I suppose after CA certificate renewal, I must renew all Exchange 2003 and 2007 OWA certificates since they expire as well. - What about users who use EFS? Will they still be able to use EFS fine w/o further intervention? - What will happen to the certificate on DCs? I see there is a certificate on DC but will it renew automatically? - Because we run on 2003 Server, we should not have Auto Enrollment issue to watch out for. - Is there a way to automatically populate the new CA certificate? I used to ask each user to click on the root CA certificate PEM file on my intranet to install it but I am hoping there is a simple way to populate it to all Windows (mostly XP) clients. My goal is to find out what may break after renewing with the same key pair so I can prevent them from happening. Please advice. Thank you!

> What about users who use EFS? Will they still be able to use EFS fine w/o further intervention? yes, they will be able to decrypt files using their existing certificates. But they will have to renew expired EFS certs to encrypt new files. > What will happen to the certificate on DCs? I see there is a certificate on DC but will it renew automatically? since your CA server runs on Windows Server 2003 Standard edition, you cannot use autoenrollment. However you can use Automatic Certificate Requests for computer certificate automatic request and renewal. Assign Domain Controllers template to this policy. > Is there a way to automatically populate the new CA certificate? if they are members of the same AD forest, CA will automatically publish new certificate to AD and AD forest clients will automatically trust it. If clients are not AD forest members (workgroup) you will have to manually import certificate to Trusted Root CAs container: certutil -addstore RootCAFileName.cer Root In addition you can check my blog article: Root CA certificate renewal http://en-us.sysadmins.lv