Re: How to install a new Enterprise Root Certificate Authority to replace an old one?

From: Erik (umetricsdev_at_umetrics.com)
Date: 04/23/04 

Date: Fri, 23 Apr 2004 12:23:49 +0200

Thanks again,

Sadly, that solution isn't really practical for me (I've already setup the
new DC with a different name and moved lots of stuff from the old DC to it,
and besides I don't want to keep the old name around! :=) ).

So back again to my original questions:

Can I install a second Root Enterprise CA in the domain in parallel with the
old CA?
Or must I uninstall the first CA first?

And in both cases, how does it affect my clients, or rather, how do I make
the inpact as little as possible? (These questions are more elaborated in
my original post in this thread).

/ Erik

"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:zRN%23jpRKEHA.304@cpmsftngxa10.phx.gbl...
> Hi Erik,
>
> Yes, the new server must have the same name as the outdated server because
> the server name information is part of the Authority Information Access
> (AIA) and CRL distribution point paths of all previously issued
> certificates. In addition, the database and log-file paths must be the
same
> on both the new and outdated servers.
>
> You can try these steps.
>
> Upgrade Windows 2000 DC to Windows Server 2003
> Backup the Certification Authority Keys and Database
> Demote the Windows 2003 DC
> Install a new Windows 2003 DC using the original name and promote it to a
> DC
> Restore the Certification Authority Keys and Database
>
> Wish it helps.
>
> Regards,
> Bob Qin
> Product Support Services
> Microsoft Corporation
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>