Re: Move certificate authority
From: Ben Woskje (verukins_at_hotmail.com)
Date: 26 Sep 2004 04:24:28 -0700
Thnaks very much for your clarification, will be trying it
early this week hopefully.
"Shawn Corey [MSFT]" <firstname.lastname@example.org> wrote in message news:<#dQuoUdoEHA.email@example.com>...
> You can keep the current Root CA you have online and just install a new one.
> If you are not migrating, as in not keeping the same
> servername/cert/key/database, then a new CA name is HIGHLY recommended, you
> could probably use the same name but there are a lot of potential gotcha
> from doing this. A client having 2 certs from different CAs that are
> identical except for the CA that issued them is prefectly fine.
> The easiest way to smooth the transition is to remove all templates from the
> old CA's list of templates to issue so it will not issue any certificates,
> this will let you keep it online so it will publish CRLs. After the new Root
> is installed just re-enroll all necessary machines/users for certs from the
> new CA. After all the new certs have been issued then revoke the certs from
> the old CA, publish a new CRL and everything should be all good :). It may
> take a while for all the revoked certs from the old CA to show up as revoked
> because of CRL caching and such but after the cached CRL expires then all of
> the old certs should no longer be valid.
> As for your fourth question about cleaning up; if you use the PKI Health
> tool from the ResKit you can remove the pieces in your AD that the old CA
> will leave behind, it leaves behind it's cert and the last CRL published to
> allow clients to use their certs till they expire if they were not revoked.
> These pieces are usually very small, only a few Kbytes, and should have no
> effect on your new CA hierarchy.