Re: Move 2000 Certificate server to 2003 on new hardware
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 5 Jun 2006 12:19:19 -0500
The certificate of the CA needs to be in the trusted CA store on the
computer that is trying use a certificate that the CA issued. You can see
the contents of such via the mmc snapin for certificates for user or
computer and looking in the folder for Trusted Root Certificate Authorities.
An Enterprise Ca would automatically be added for domain computers, you can
specify other certificates to add via Group Policy "computer"
configuration/Windows settings/security settings/public key policy settings,
and you can distribute the .cer file for the Certificate Authority to users
that need it and clicking it will start the certificate import wizard. You
can create a .cer file by selecting the certificate from a folder in the mmc
snapin for certificates and selecting all tasks - export. If you are using
Web Enrollment for certificate requests the CA certificate/chain can be
downloaded that way also. -- Steve
"thawkz" <thawkz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:546BD917-DA41-454A-A8C8-6EA13D28D765@xxxxxxxxxxxxxxxx
Thanks for your response. Yes, I have no problem reissuing new
certificates.
Yes, the document you referenced is indeed the MS article I was referring
to, and I agree that the process would not be difficult, however our
situation is not that straightforward....we are moving from windows 2000
to
windows 2003 and the existing hardware does not support an upgrade to
windows
2003.
You mentioned that I would need to make sure all the computers involved
"trust the new CA". What steps do I need to take to ensure and verify this
trust?
Thanks again.....
"Steven L Umbach" wrote:
If you have not problem reissuing new certificates wherever needed then
go
for it. Your proposal is basically destroying your old PKI and building a
new one rather than maintain the current one on the new server which
really
is not that difficult to do per the instructions in the KB article below
which maybe you were referring to. You will also need to make sure that
all
computers involved trust the new CA. --- Steve
http://support.microsoft.com/?id=298138
"thawkz" <thawkz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AC0758CC-3C31-4EE1-BBC8-3C80C77F0CA6@xxxxxxxxxxxxxxxx
Currently using Windows 2000 stand-alone certificate server (member
server)
for OWA and a couple of other internal (non-critical) apps that require
SSL
certificate.
Plan is to retire this hardware and install certificate server on new
hardware using Windows Server 2003.
I have reviewed the microsoft article regarding migrating certificate
services, but we really do not need to perform a migration--we are
perfectly
fine with issuing new certificates to the few apps that use it (plus
the
hardware currently being used would not support Windows 2003)..... My
plan
is
to:
1) uninstall certificate services from current server.
2) install certificate services on new server.
3) Reissue certificates to the non-critical apps and OWA.
Are there any problems with this approach? Is there a more "graceful"
recommended approach to removal of the current certificate services
server,
before installing the new certificate services server?
Thanks.
.
- References:
- Re: Move 2000 Certificate server to 2003 on new hardware
- From: Steven L Umbach
- Re: Move 2000 Certificate server to 2003 on new hardware
- Prev by Date: Re: Security update failures
- Next by Date: Re: Audit Policy
- Previous by thread: Re: Move 2000 Certificate server to 2003 on new hardware
- Next by thread: Re: Domain Security Policy
- Index(es):
Relevant Pages
|
