A: You can renew a Windows root Certification Authority's (CA's) certificate from the Microsoft Management Console (MMC) Certification Authority snap-in. To do so, select the CA name in the Certification Authority container in the left pane, select All Tasks from the Action menu, then click Renew CA Certificate to open the Renew CA Certificate dialog box that Figure 1 shows.

The Renew CA Certificate dialog box in the Microsoft Management Console (MMC)
Figure 1: The Renew CA Certificate dialog box

In this dialog box, you can choose to use either the existing CA key pair or generate a new key pair for certificate renewal. If you want to generate a new public and private key pair for the CA's certificate, click Yes. If you want to reuse the current public and private key pair, click No.

When you choose to generate a new key pair, Windows creates a new certificate revocation list (CRL) at the time it generates the new CA certificate, which ensures that the key used to sign the certificates issued by the CA matches the key that the CA uses to sign CRLs. As such, renewing a CA's certificate with a new key pair also offers a workaround to deal with CRLs that have become too big. The new CRL holds only the serial numbers of the certificates that were revoked since the start date of the new CA certificate.