Re: How to install a new Enterprise Root Certificate Authority to replace an old one?

• Previous message: Roneil Icatar: "Restricted Group GPO"
• In reply to: Brian Komar: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 Apr 2004 16:28:22 +0200

Thanks Brian, your post made things a lot clearer for me,

I have now installed the new CA and deployed most of the new certificates.
All is going well. Thanks again!

/ Erik

"Brian Komar" <bkomar@nospam.komarconsulting.com> wrote in message
news:MPG.1af4964bf5c12394989685@msnews.microsoft.com...
> Erik,
>
> Along with my other response some more answers inline.
>
> Brian
> <snip>
> >
> > From what I've read on Google and on Microsoft there is no way of moving
an
> > Enterprise Root CA to this new server (since apparently Enterprise CAs
can't
> > be moved to a computer with a different name).
> >
> >
> Not with a new name...
> >
> > So, I've read in a post that I can should uninstall the old CA and
install a
> > NEW Root Enterprise CA on the new DC.
> >
>
> I would not recommend installing a CA on a DC at any time. It is better
> to use a dedicated machine for the CA.
> >
> > The question is if this is as easy at is sounds or if there are any
hidden
> > pitfalls...? Obviously I'd like the transition to be as easy as possible
> > both for me and for the users.
> >
> >
> The biggest issue will be the need to redeploy all certs. The old certs
> are gone once you remove the old CA, as there will be no updated CRLs.
> >
> > Environment: We have a single native W2k AD domain in the process of
> > becoming a W2k3. Less than 50 clients. Our old CA has been used fairly
> > little:
> >
> >
> >
> > * A couple of Code Signing certificates for signing only a few files
(used
> > internally).
> >
>
> You will have to resign the files with a new valid cert.
>
> > * A cert used for SSL/TSL to secure IMAP sessions to our mail server.
> >
> Need a new cert here.
>
> > * In addition there are few certificates that has been automatically
created
> > (?) for each DC in the domain.
> >
> >
> Ditto on these ones.
> >
> > I'm planning on doing the following:
> >
> >
> >
> > 1. Revoke all certificates on the old CA (with the reason "Cease of
> > operation" as it says in the W2k documentatation).
> >
> That is fine, but to be honest, once you remove the old CA, the certs
> will fail revocation checking at teh next CRL publication, as a current
> CRL will no longer be available.
>
> 2. Should I then wait a week (the publication interval is 1 week) so
> that the CRL (Certification Revocation List) has been expired on all
> clients? Is this needed?
>
> Once you remove the CA, the certs can no longer be verified. You really
> do not have to wait the week...
>
> 3. Then uninstall the CA on the old computer. How will this affect my
> clients? (the use of the certs are described above).
>
> As I said earlier, once you remove the CA, there are no more updates to
> the CRL, so all CRL checking will fail.
>
> 4. Install a new Enterprise Root CA on the new DC.
>
> You can even do this beforehand. I would probably recommend setting
> this up beforehand, and getting the replacement certificates deployed.
> This will result in a smoother transition.
>
> 5. Re-create the certificates and use the new ones for signing the
> files, and for the SSL connection used at the mail server.
>
> You do not have to re-create any certificate templates. Certificate
> templates are a forest-wide object, not tied to a specific enterprise
> CA.
>
> Brian

• Previous message: Roneil Icatar: "Restricted Group GPO"
• In reply to: Brian Komar: "Re: How to install a new Enterprise Root Certificate Authority to replace an old one?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]