Ongoing Maintenance for Offline Root CA and Intermediate CA


Mission Objective
The Mainframe79 control deck is online, tasked with preserving the integrity of your Public Key Infrastructure (PKI) within an existing Windows Server domain. Our mission: outline the essential maintenance steps to keep your Offline Root Certificate Authority (CA) and Intermediate CA operational, including bringing the offline CA online, renewing Certificate Revocation Lists (CRLs), and ensuring long-term reliability. Let’s keep those circuits pulsing!
Gear Check
Before we dive into maintenance, ensure your toolkit is primed:
Offline Root CA VM (e.g., Windows Server 2019 or 2022) in Hyper-V, air-gapped.
Intermediate CA VM (e.g., Windows Server 2022), domain-joined with static IP and DC DNS.
Hyper-V console access, shared virtual drive (e.g., VHDX) for transfers, and admin credentials.
Backup storage (e.g., VHDX snapshot or cloud with lock) and Server Manager.
Domain controller VM with Active Directory operational. All systems green?
Step 1: Bringing the Offline Root CA Online
The Offline Root CA stays dormant to protect the trust anchor, but periodic online sessions are needed for renewals or signing. Here’s the process:
Power Up the VM:
Launch the OFFLINEROOTCA VM in Hyper-V, access it via the console (no network connection).
Verify the system boots cleanly.
Sign New Requests or Renewals:
If the Intermediate CA certificate is nearing expiration (e.g., 5 years), transfer the renewal request (e.g., renewalreq.req) from the Intermediate CA via the shared virtual drive.
In certsrv.msc, right-click the CA > All Tasks > Submit new request, browse to the request file, issue it, and export as renewedca.cer.
Update CRL:
- Right-click Revoked Certificates > All Tasks > Publish, select New CRL, set a 2-year interval, save as rootca.crl to the shared drive.
Backup and Power Down:
Export the updated certificate and private key (if changed) to the shared drive with a strong password.
Back up the CA database, store offline (e.g., VHDX snapshot or cloud with lock).
Shut down the VM and secure it.
Step 2: Renewing CRL for Root CA
CRLs ensure revoked certificates are tracked—renew them regularly to maintain trust. The Intermediate CA, being online, automatically publishes its CRL on a schedule (e.g., weekly), so manual renewal is only needed for the Offline Root CA.
Offline Root CA CRL Renewal
During the online session (Step 1), renew the root CRL: right-click Revoked Certificates > All Tasks > Publish > New CRL, set a 2-year interval, save as rootca.crl to the shared drive.
Update the Intermediate CA’s CDP to reference the new rootca.crl in certsrv.msc > Properties > Extensions.
Distribute CRLs
Copy the rootca.crl to Intermediate CA’s C:\CRL directory (the Intermediate CA’s intermediateca.crl is auto-distributed).
Verify accessibility with certutil -urlfetch on a client.
Step 3: Monitoring and General Maintenance
Keep the PKI gears turning with routine checks.
Check CA Service Status:
On INTERMEDIATECA, open services.msc via Hyper-V console, ensure Active Directory Certificate Services is running.
Restart if needed: Stop-Service -Name certsvc -Force; Start-Service -Name certsvc.
Review Event Logs:
On INTERMEDIATECA, in Event Viewer, go to Applications and Services Logs > Microsoft > Windows > CertificateServices > Operational.
Look for errors (e.g., issuance failures) and clear old logs if safe.
Share relevant entries in documentation.
Certificate Renewal:
Monitor the Intermediate CA certificate (e.g., 5-year validity). When nearing expiration, generate a renewal request on INTERMEDIATECA, sign it on OFFLINEROOTCA, and import the renewed certificate.
Update the GPO with the new intermediateca.cer if changed.
Backup Routines:
Regularly snapshot INTERMEDIATECA VM and back up its database to the shared drive. (If other backup methods aren’t already in place)
Store offline with encryption.
Step 4: Updating GPO and Client Distribution
Keep clients in sync with CA changes.
Update GPO for Renewed Certs:
Open gpmc.msc on the DC VM.
Edit the "PKI Certificate Distribution" GPO, re-import updated rootca.cer or intermediateca.cer if renewed.
Force Client Update:
On client VMs, run gpupdate /force && certutil -pulse, reboot if needed.
Verify new certificates in certlm.msc.
Final Thoughts from the Mainframe
Mission sustained—your PKI maintenance plan is now operational. Bring the offline root CA online sparingly, renew CRLs diligently, and monitor logs to keep the trust chain intact. Drop a comment if the circuits falter—we’re here to debug!
Subscribe to my newsletter
Read articles from Mike Becker directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Mike Becker
Mike Becker