Re: How to install a new Enterprise Root Certificate Authority to replace an old one?
From: Brian Komar (bkomar_at_nospam.komarconsulting.com)
Date: 04/24/04
- Previous message: Brian Komar: "Re: Enterprise Root CA"
- In reply to: Erik: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Next in thread: Bob Qin [MSFT]: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Bob Qin [MSFT]: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 Apr 2004 16:15:27 -0500
Answers inline...
Brian
In article <uH94S0RKEHA.1120@TK2MSFTNGP11.phx.gbl>,
umetricsdev@umetrics.com says...
> Thanks again,
>
> Sadly, that solution isn't really practical for me (I've already setup the
> new DC with a different name and moved lots of stuff from the old DC to it,
> and besides I don't want to keep the old name around! :=) ).
>
> So back again to my original questions:
>
> Can I install a second Root Enterprise CA in the domain in parallel with the
> old CA?
Yes, this is just another root CA in the organization, that will use the
same certificate templates available in the Configuration naming
context. When you install the new root CA, information will be added to
the AIA, CDP and Certificate Services containers in the following
location: CN=Public Key
Services,CN=Services,CN=Configuration,ForestRootDomainLDAPName
> Or must I uninstall the first CA first?
The order does not really matter except that you should clean the old CA
references out of the Configuration NC. What I recommend is to use the
PKi Health Tool from the 2003 Resource Kit (pkiview.msc). You can then
view each container, and delete the old certs and CRLs from the
Configuration NC.
>
> And in both cases, how does it affect my clients, or rather, how do I make
> the inpact as little as possible? (These questions are more elaborated in
> my original post in this thread).
>
The impact will be that all old certs are dead/gone/toast. You should
plan for the immediate deployment of required certificates. Once you
uninstall or remove the old CA, all certificate validation will break
down at the next CRL publish interval for the old CA.
> / Erik
>
<snip>
- Previous message: Brian Komar: "Re: Enterprise Root CA"
- In reply to: Erik: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Next in thread: Bob Qin [MSFT]: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Bob Qin [MSFT]: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
