Re: Move certificate authority

From: Ben Woskje (
Date: 09/26/04

Date: 26 Sep 2004 04:24:28 -0700

Hey Shawn,
          Thnaks very much for your clarification, will be trying it
early this week hopefully.

"Shawn Corey [MSFT]" <> wrote in message news:<#dQuoUdoEHA.648@tk2msftngp13.phx.gbl>...
> You can keep the current Root CA you have online and just install a new one.
> If you are not migrating, as in not keeping the same
> servername/cert/key/database, then a new CA name is HIGHLY recommended, you
> could probably use the same name but there are a lot of potential gotcha
> from doing this. A client having 2 certs from different CAs that are
> identical except for the CA that issued them is prefectly fine.
> The easiest way to smooth the transition is to remove all templates from the
> old CA's list of templates to issue so it will not issue any certificates,
> this will let you keep it online so it will publish CRLs. After the new Root
> is installed just re-enroll all necessary machines/users for certs from the
> new CA. After all the new certs have been issued then revoke the certs from
> the old CA, publish a new CRL and everything should be all good :). It may
> take a while for all the revoked certs from the old CA to show up as revoked
> because of CRL caching and such but after the cached CRL expires then all of
> the old certs should no longer be valid.
> As for your fourth question about cleaning up; if you use the PKI Health
> tool from the ResKit you can remove the pieces in your AD that the old CA
> will leave behind, it leaves behind it's cert and the last CRL published to
> allow clients to use their certs till they expire if they were not revoked.
> These pieces are usually very small, only a few Kbytes, and should have no
> effect on your new CA hierarchy.
> --
> Thanks,
> Shawn

Relevant Pages

  • Re: Move certificate authority
    ... A client having 2 certs from different CAs that are ... After all the new certs have been issued then revoke the certs from ... publish a new CRL and everything should be all good:). ... > server name & was hoping there was a safer method of moving the ...
  • Re: How to install a new Enterprise Root Certificate Authority to replace an old one?
    ... > Enterprise Root CA to this new server (since apparently Enterprise CAs can't ... The biggest issue will be the need to redeploy all certs. ... CRL will no longer be available. ... and getting the replacement certificates deployed. ...
  • Re: 1911 Census: Specific address search question.
    ... The government already wastes billions on failed or failing IT ... the service needs to be free, ... certs from the GRO is too high and that the certs should be online ...
  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... Revocation checking, per se, is NOT the problem. ... The problem is that when the CRL in the ICA is expired, ... > certs as an indicator that revocation does not need to be checked. ...
  • Re: PKIView reports incorrect URLs, different to the CA configuration
    ... of the locations specified in old certs, the old certs may fail to validate. ... > However, out of the three URLS (AIA, CRL, and delta CRL+) PKIView has> only detected that one of these has changed. ...