How to install a new Enterprise Root Certificate Authority to replace an old one?
From: Erik (umetricsdev_at_umetrics.com)
Date: 04/22/04
- Next message: Steven L Umbach: "Re: Security Auditing on Windows 2003 Server"
- Previous message: Croco Stimpy: "Users cannot download Root certificate from certsrv"
- Next in thread: Bob Qin [MSFT]: "RE: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Bob Qin [MSFT]: "RE: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Brian Komar: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Apr 2004 17:23:31 +0200
Hello all,
We have an Enterprise Root Certificate Authority on an old W2k domain
controller that will be decommissioned and replaced with a new Windows
Server 2003 DC with a different name.
>From what I've read on Google and on Microsoft there is no way of moving an
Enterprise Root CA to this new server (since apparently Enterprise CAs can't
be moved to a computer with a different name).
So, I've read in a post that I can should uninstall the old CA and install a
NEW Root Enterprise CA on the new DC.
The question is if this is as easy at is sounds or if there are any hidden
pitfalls...? Obviously I'd like the transition to be as easy as possible
both for me and for the users.
Environment: We have a single native W2k AD domain in the process of
becoming a W2k3. Less than 50 clients. Our old CA has been used fairly
little:
* A couple of Code Signing certificates for signing only a few files (used
internally).
* A cert used for SSL/TSL to secure IMAP sessions to our mail server.
* In addition there are few certificates that has been automatically created
(?) for each DC in the domain.
I'm planning on doing the following:
1. Revoke all certificates on the old CA (with the reason "Cease of
operation" as it says in the W2k documentatation).
2. Should I then wait a week (the publication interval is 1 week) so that
the CRL (Certification Revocation List) has been expired on all clients? Is
this needed?
3. Then uninstall the CA on the old computer. How will this affect my
clients? (the use of the certs are described above).
4. Install a new Enterprise Root CA on the new DC.
5. Re-create the certificates and use the new ones for signing the files,
and for the SSL connection used at the mail server.
Is the order important when uninstalling the old and installing the new CA?
Or can I install the NEW CA now, before uninstalling the old??
Sorry for the long post but I wanted to include all the details!
/ Erik
- Next message: Steven L Umbach: "Re: Security Auditing on Windows 2003 Server"
- Previous message: Croco Stimpy: "Users cannot download Root certificate from certsrv"
- Next in thread: Bob Qin [MSFT]: "RE: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Bob Qin [MSFT]: "RE: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Brian Komar: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
