Re: Move certificate authority

From: Shawn Corey [MSFT] (
Date: 09/24/04

  • Next message: Shawn Corey [MSFT]: "Re: Certificate template modifying"
    Date: Thu, 23 Sep 2004 18:23:53 -0700

    You can keep the current Root CA you have online and just install a new one.
    If you are not migrating, as in not keeping the same
    servername/cert/key/database, then a new CA name is HIGHLY recommended, you
    could probably use the same name but there are a lot of potential gotcha
    from doing this. A client having 2 certs from different CAs that are
    identical except for the CA that issued them is prefectly fine.

    The easiest way to smooth the transition is to remove all templates from the
    old CA's list of templates to issue so it will not issue any certificates,
    this will let you keep it online so it will publish CRLs. After the new Root
    is installed just re-enroll all necessary machines/users for certs from the
    new CA. After all the new certs have been issued then revoke the certs from
    the old CA, publish a new CRL and everything should be all good :). It may
    take a while for all the revoked certs from the old CA to show up as revoked
    because of CRL caching and such but after the cached CRL expires then all of
    the old certs should no longer be valid.

    As for your fourth question about cleaning up; if you use the PKI Health
    tool from the ResKit you can remove the pieces in your AD that the old CA
    will leave behind, it leaves behind it's cert and the last CRL published to
    allow clients to use their certs till they expire if they were not revoked.
    These pieces are usually very small, only a few Kbytes, and should have no
    effect on your new CA hierarchy.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    "Ben Woskje" <> wrote in message
    > Hi Miha,
    >        Thanks for the response.
    > I have read that article, however i will not be keeping the same
    > server name & was hoping there was a safer method of moving the
    > certificates over rather than having the uninstall the existing CA
    > first.
    > Thanks anyway.
    > "Miha Pihler" <> wrote in message 
    > news:<#dqAHPUoEHA.3460@TK2MSFTNGP10.phx.gbl>...
    >> Hi Ben,
    >> Here is Microsoft article that explains step-by-step how to move CA 
    >> service
    >> between the servers.
    >> How to move a certification authority to another server
    >> This process will keep all your issued and revoked certificate 
    >> information,
    >> compared to process that you describe where you get whole new CA server.
    >> You can only have 1 (one) Enterprise Root CA server at the time. Any 
    >> other
    >> Enterprise setup server can only be subordinate CA server. This should 
    >> also
    >> answer all the other questions related to this... 

  • Next message: Shawn Corey [MSFT]: "Re: Certificate template modifying"