Renewed my intermediate CA cert but it's still signing with the old one

Posted by Hibbiee@reddit | sysadmin | View on Reddit | 2 comments

Context: Windows Active Directory on-prem Root and intermediate CA

After a considerable amount of hoops, I was able to request a new intermediate CA cert, sign it on my root CA then install it back on the intermediate CA. I now have both certificates showing up on the certificate authority, both thumbprints showing in the registry, and both certificates present in the certenroll folder.

No errors when I start the server, everything seems to be working ok, however when submitting a new cert for signing it's still picking the 'old' intermediate cert. The intermediate cert is valid for 2 more years, the new one is valid for 4 more years. I would like to start using the new one, but am at a loss as to what settings to change. Can I safely remove the 'old' cert without breaking the new one? It uses the same private key and I'm not sure how they will behave.

Any advice would be much appreciated. ChatGPT has been trying very hard to help but is dropping the ball more often than not.

[-]

Soft-Mode-31@reddit

I believe you have to update the templates to use the new intermediate that you installed. The templates are still set to use the old one.

Hibbiee@reddit (OP)

Turned out to be this:
Removing old certification authority certificates from the configuration of a certification authority - Uwe Gradenegger

What an obscure setting to add, I would expect this procedure to be a bit more straightforward.