Unfortunately, the only way to upgrade the Root CA key is to replace it with a newer, stronger, key pair and afterwards, self-sign a new Root CA certificate with the new pair.
The next steps depend on whether you decided to use subordinate CAs in your PKI design.
If you didn't go for subordinate CAs, you will need to re-sign1 all end-entity certificates with this new Root CA and the subscribers must configure their services/applications to present their newly signed end-entity certificate in their chain.
If you did opt for subordinate CAs, you will need to re-sign just the subordinate CA(s) with this new Root CA. You must then give the re-signed subordinate CA certificate(s) to all end-entity subscribers who must configure their services/applications to present this re-signed subordinate CA certificate in their chain. Note: don't re-key2 the subordinate CA here, otherwise you'll have to re-sign all end-entity certificates with the re-keyed subordinate CA.
In either case, you will need to distribute your new Root CA certificate to all relying parties and configure them all to trust this new chain.
Depending on the size of your estate, this could be quite a major undertaking. In both scenarios:
- You re-key your Root CA once;
- Your service/application owners will need to re-configure their service to use a replacement CA certificates in the chain;
- You will need to distribute the Root CA to all relying-parties;
If you didn't opt for a subordinate CA, you will need to re-sign all end-entity certificates too.
1 Re-sign means the certificate is simply re-signed by the CA. The only attribute that will change is the signature, and optionally the issue/expiry dates.
2 Re-key means a new key-pair is generated for the certificate and the certificate is re-signed by the CA. No attribute other than the public key, and optionally the issue/expiry dates, change.
