Re: Move certificate authority

From: Shawn Corey [MSFT] (shawncor_at_online.microsoft.com)
Date: 09/23/04

Next message: Sal-ICA: "Re: Policy"
Previous message: Steven L Umbach: "Re: W2K3 and workgroup shares"
In reply to: Miha Pihler: "Re: Move certificate authority"
Next in thread: Miha Pihler: "Re: Move certificate authority"
Reply: Miha Pihler: "Re: Move certificate authority"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Sep 2004 13:31:26 -0700

There actually is no limitation on how many root CAs are in a domain. I
personally have had a domain with 3 Enterprise roots in it at the same time
and had no issues, aside from remembering which Root was setup to do what :)

-- 
Thanks,
Shawn
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at 
http://www.microsoft.com/info/cpyright.htm
"Miha Pihler" <mihap-news@atlantis.si> wrote in message 
news:%23dqAHPUoEHA.3460@TK2MSFTNGP10.phx.gbl...
> Hi Ben,
>
> Here is Microsoft article that explains step-by-step how to move CA 
> service
> between the servers.
>
> How to move a certification authority to another server
> http://support.microsoft.com/default.aspx?scid=kb;en-us;298138&Product=winsvr2003
>
> This process will keep all your issued and revoked certificate 
> information,
> compared to process that you describe where you get whole new CA server.
>
> You can only have 1 (one) Enterprise Root CA server at the time. Any other
> Enterprise setup server can only be subordinate CA server. This should 
> also
> answer all the other questions related to this...
>
> Implementing and Administering Certificate Templates in Windows Server 
> 2003
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>
> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
> Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> PKI Enhancements in Windows XP Professional and Windows Server 2003
> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>
> Windows Server 2003 PKI Operations Guide
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> Managing a Windows Server 2003 Public Key Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>
> Advanced Certificate Enrollment and Management
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
> Configuring and Troubleshooting Windows 2000 and Windows Server 2003
> Certificate Services Web Enrollment
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>
> Key Archival and Management in Windows Server 2003
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
>
> Mike
>
> "Ben Woskje" <verukins@hotmail.com> wrote in message
> news:2807742c.0409221743.a317817@posting.google.com...
>> Hi,
>>    I wish to move a windows 2003 enterprise based CA from one server
>> to another, and i just want to verify the process with some of you
>> knowledgable type people.
>>
>> Certificate usage
>> - Provides certificates to web servers that are accesable to the
>> outside world
>>
>> 1. Install new enterprise root CA on new server
>> 2. Create and issue new certificates to the appropriate web sites from
>> new server
>> 3. Revoke all certificates on the old server
>> 4. Un-install the CA on the old server
>>
>> Questions
>> 1. Are there any issues with having two root CA's in the forest?
>> 2. Can i issue certificates with the same name from a different CA
>> without any issues?
>> 3. Any other stuff that someone who has done this can pass on?
>> 4. Anything else i should do to "clean up"
>>
>> Thanks.
>
>

Next message: Sal-ICA: "Re: Policy"
Previous message: Steven L Umbach: "Re: W2K3 and workgroup shares"
In reply to: Miha Pihler: "Re: Move certificate authority"
Next in thread: Miha Pihler: "Re: Move certificate authority"
Reply: Miha Pihler: "Re: Move certificate authority"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Certificate Templates - Duplicating template - Issue does not work
... Enterprise Edition if you need to modify your certificate templates. ... Implementing and Administering Certificate Templates in Windows Server 2003 ...
(microsoft.public.win2000.security)
SEC_E_UNTRUSTED_ROOT
... To test my application I have set up a Windows 2000 server ... application and client application are running on the same Windows server. ... certificate and then "imported" it and still the same result. ...
(microsoft.public.platformsdk.security)
Re: Forest, Domain, Certificate, CA, IAS/Radius, Issues
... All servers are Windows Server 2003 with service pack 2. ... Only DomainA has the "Enterprise Root CA" and DomainB_DC1 is a subordinate ... the Certificate Renewal Wizard, I get "The certificate request failed ... How do I manually request a Domain Controller certificate from DC2? ...
(microsoft.public.windows.server.networking)
Re: CA - Certificate Authority for Authentication?
... you can use CA to deploy user certificate in combination with e.g. ... Here are some white papers on how to set up CA server ... Implementing and Administering Certificate Templates in Windows Server 2003 ... You can use Smart Card for remote logons to domain, terminal servers, VPN, ...
(microsoft.public.windows.server.networking)
Re: CA - Certificate Authority for Authentication?
... you can use CA to deploy user certificate in combination with e.g. ... Here are some white papers on how to set up CA server ... Implementing and Administering Certificate Templates in Windows Server 2003 ... You can use Smart Card for remote logons to domain, terminal servers, VPN, ...
(microsoft.public.windows.server.networking)