Renew CA certificate with the same key as older of two CA certificates

I have a CA installed on Windows Server 2022. It has two certificates:

• one older that is about to expire on 30.07.2026

• second newer, to expire on 08.03.2030

I have many certificates created using the first key used on other devices.

The newer certificate was created with a new key, so certificates issued with the second CA certificate with the new key do not authorize users on device with first CA cell installed.

So I want to create a new certificate that has the same key as the old CA certificate, but will have extend the period of its usability.

How to do that on Windows Server 2022?

The expiring certificate of the root CA needs to be replaced or renewed in any case, and deployed to all users. This is the identity metadata tied to the public key. Software verifying the chain likely will not accept the expired root.

A private key must be replaced if it was compromised, or you require different cryptography parameters. Or you optionally desire a different root for operational or organizational reasons. Perhaps implementing offline or hardware private key storage, where the root's secret is never on an IP network.

If instead the private key is still secure and useful, certutil -renewCert ReuseKeys or similar action will issue a CA certificate with the same private and public keys, but with a "valid to" date extended later. Primary benefit, certificates signed by the old one previously can still be validated.

Having both old and new private keys may make sense. It is of course technically possible to have multiple certificate chains. Perhaps a gradual migration to a new root, perhaps there are legacy TLS clients to deal with.

Although even large and complex organizations only need one or two root CAs for a centralized PKI. With a multiple tiered CA design, the root signs several issuing CAs, which in turn sign various certificates for users.