Re: How to install a new Enterprise Root Certificate Authority to replace an old one?
From: Brian Komar (bkomar_at_nospam.komarconsulting.com)
Date: 04/24/04
- Previous message: Brian Komar: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- In reply to: Erik: "How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Next in thread: Erik: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Erik: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 Apr 2004 16:21:18 -0500
Erik,
Along with my other response some more answers inline.
Brian
<snip>
>
> From what I've read on Google and on Microsoft there is no way of moving an
> Enterprise Root CA to this new server (since apparently Enterprise CAs can't
> be moved to a computer with a different name).
>
>
Not with a new name...
>
> So, I've read in a post that I can should uninstall the old CA and install a
> NEW Root Enterprise CA on the new DC.
>
I would not recommend installing a CA on a DC at any time. It is better
to use a dedicated machine for the CA.
>
> The question is if this is as easy at is sounds or if there are any hidden
> pitfalls...? Obviously I'd like the transition to be as easy as possible
> both for me and for the users.
>
>
The biggest issue will be the need to redeploy all certs. The old certs
are gone once you remove the old CA, as there will be no updated CRLs.
>
> Environment: We have a single native W2k AD domain in the process of
> becoming a W2k3. Less than 50 clients. Our old CA has been used fairly
> little:
>
>
>
> * A couple of Code Signing certificates for signing only a few files (used
> internally).
>
You will have to resign the files with a new valid cert.
> * A cert used for SSL/TSL to secure IMAP sessions to our mail server.
>
Need a new cert here.
> * In addition there are few certificates that has been automatically created
> (?) for each DC in the domain.
>
>
Ditto on these ones.
>
> I'm planning on doing the following:
>
>
>
> 1. Revoke all certificates on the old CA (with the reason "Cease of
> operation" as it says in the W2k documentatation).
>
That is fine, but to be honest, once you remove the old CA, the certs
will fail revocation checking at teh next CRL publication, as a current
CRL will no longer be available.
2. Should I then wait a week (the publication interval is 1 week) so
that the CRL (Certification Revocation List) has been expired on all
clients? Is this needed?
Once you remove the CA, the certs can no longer be verified. You really
do not have to wait the week...
3. Then uninstall the CA on the old computer. How will this affect my
clients? (the use of the certs are described above).
As I said earlier, once you remove the CA, there are no more updates to
the CRL, so all CRL checking will fail.
4. Install a new Enterprise Root CA on the new DC.
You can even do this beforehand. I would probably recommend setting
this up beforehand, and getting the replacement certificates deployed.
This will result in a smoother transition.
5. Re-create the certificates and use the new ones for signing the
files, and for the SSL connection used at the mail server.
You do not have to re-create any certificate templates. Certificate
templates are a forest-wide object, not tied to a specific enterprise
CA.
Brian
- Previous message: Brian Komar: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- In reply to: Erik: "How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Next in thread: Erik: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Reply: Erik: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
