When a certificate authority expires, is it gone for good? Is there a way to renew it? Or should I just generate a new certificate? I don't really want to make a new one because this certificate authority is already trusted by many of our customers. I'm dealing with a legacy mess and just discovered that our CA is expiring in 2015.
Thanks!
In the Certificate Authority MMC snap-in (certsrv.msc), if you right-click the server object, under "All Tasks" there's an option to renew the certificate.
Edit: Definitely just realized that you didn't specify which type of CA. Clearly, I've just been dealing with too much Windows today. If needed (or for completeness, if not), here's the procedure via OpenSSL:
openssl req -new -key oldrootca.key -out newcsr.csr
openssl x509 -req -days 3650 -in newcsr.csr -signkey oldrootca.key -out newcrt.crt
Many well-known trusted root CA's have expirys of 20 or 30 years or longer. The trend is to stand up subordinate CA's below these, which operate under the trust of the root CA. The root CA can be taken offline and not used for any end-user certs. If a subordinate CA is compromised, it can be replaced without affecting the trusted root CA certificate.
The other aspect of this is that in an optimistic scenario, there should be some automated way of managing and replacing certificates prior to expiration. There are commercial applications for this, and some people develop their own. Without this, the process has a high level of administrative effort, and is prone to errors. A component of a business could shutdown if a certificate expires before it is replaced.
You can renew a root CA, but if the clients don't have an orderly way to update this certificate, there could be issues. If you create a new root CA, you could perform this transition independent of the existing root CA certificate without impacting existing operations.
