Re: Move certificate authority
From: Shawn Corey [MSFT] (shawncor_at_online.microsoft.com)
Date: Thu, 23 Sep 2004 18:23:53 -0700
You can keep the current Root CA you have online and just install a new one.
If you are not migrating, as in not keeping the same
servername/cert/key/database, then a new CA name is HIGHLY recommended, you
could probably use the same name but there are a lot of potential gotcha
from doing this. A client having 2 certs from different CAs that are
identical except for the CA that issued them is prefectly fine.
The easiest way to smooth the transition is to remove all templates from the
old CA's list of templates to issue so it will not issue any certificates,
this will let you keep it online so it will publish CRLs. After the new Root
is installed just re-enroll all necessary machines/users for certs from the
new CA. After all the new certs have been issued then revoke the certs from
the old CA, publish a new CRL and everything should be all good :). It may
take a while for all the revoked certs from the old CA to show up as revoked
because of CRL caching and such but after the cached CRL expires then all of
the old certs should no longer be valid.
As for your fourth question about cleaning up; if you use the PKI Health
tool from the ResKit you can remove the pieces in your AD that the old CA
will leave behind, it leaves behind it's cert and the last CRL published to
allow clients to use their certs till they expire if they were not revoked.
These pieces are usually very small, only a few Kbytes, and should have no
effect on your new CA hierarchy.
-- Thanks, Shawn This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Ben Woskje" <email@example.com> wrote in message news:firstname.lastname@example.org... > Hi Miha, > Thanks for the response. > > I have read that article, however i will not be keeping the same > server name & was hoping there was a safer method of moving the > certificates over rather than having the uninstall the existing CA > first. > > Thanks anyway. > > "Miha Pihler" <email@example.com> wrote in message > news:<#dqAHPUoEHA.3460@TK2MSFTNGP10.phx.gbl>... >> Hi Ben, >> >> Here is Microsoft article that explains step-by-step how to move CA >> service >> between the servers. >> >> How to move a certification authority to another server >> http://support.microsoft.com/default.aspx?scid=kb;en-us;298138&Product=winsvr2003 >> >> This process will keep all your issued and revoked certificate >> information, >> compared to process that you describe where you get whole new CA server. >> >> You can only have 1 (one) Enterprise Root CA server at the time. Any >> other >> Enterprise setup server can only be subordinate CA server. This should >> also >> answer all the other questions related to this...