Re: Root CA issuing CA

In article <1161842555.933079.281340@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, in
the microsoft.public.windows.server.security news group,
<g18c@xxxxxxxxxxx> says...

Hi, quick question on CAs (again!).

Say for arguments sake i have an offline root CA (rootca.domain.local),
and a subordinate issuing CA (called subca1.domain.local). I then issue
a certificates though the subordinate CA to client computers. At some
point in the future I am forced to retire the subordinate CA and bring
in a new subordinate CA with a different name (called
newsubca.domain.local), will the certificates issued by the original
subordinate CA become invalid?

No, the certificates won't automatically become invalid. However, you
need to make sure that the following steps are taken:

1. The CDP and AIA URLs embedded in the issued certificates still need
to be available. Frequently these are HTTP URLs that are located on the
issuing CA. So that maybe a concern. This can be worked around by
moving the CRL and AIA data to another server using the same path to
the files and then setting up a DNS CNAME record with the current
server name resolving to the new server.
2. You'll need to maintain the current CRL until such time as all of
the current certificates have either expired, or are otherwise
replaced. This will require you to keep a copy of the current CA's
certificate and private key and you'll need to use the certutil command
to manually sign the CRL and republish it when required.

Will the issued certificates contain the
machine name of the issuing computer, if so i wont be able to transfer
to a different computer name?

You can't transfer anything from one CA to another if the computer name
changes.

This whole thing will be far easier to manage if you can reuse the
existing computer name for the new CA. In that case, you can simply
backup the old CA database, certificate, private key, and registry data
and then restore them all onto the new CA. Failing that, the next
easiest solution would be to leave the old CA up and running, but don't
allow it to issue any new certificates. Issue all new certificates from
the new CA. Once all of the current certificates from the old CA are
either expired or revoked, then you can take down the old CA.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

.

Relevant Pages

  • subordinate ent CAs dont publish certs to AD after Win 2k3 SP1
    ... subordinate enterprise CA on another server, ... subordinate CA issued certificates and publish them to AD with autoenrollment ... The brand new security group added by SP1 installation in the AD ...
    (microsoft.public.security)
  • RE: subordinate ent CAs dont publish certs to AD after Win 2k3 SP1
    ... > I’ve got an enterprise root CA installed on a Domain Controller and a> subordinate enterprise CA on another server, which issues only secure email> purpose certificates. ... > 2) The brand new security group added by SP1 installation in the AD> structure CERTSVC_DCOM_ACCESS contains both Domain Users and Domain Computer> groups. ...
    (microsoft.public.security)
  • Problem with SSL Setup: Client certs dont appear
    ... I have an IIS server configured for SSL client and server ... I have both the root CA's and the subordinate CA's certificates ...
    (microsoft.public.inetserver.iis.security)
  • Problem with SSL Setup: Client certs dont appear
    ... I have an IIS server configured for SSL client and server ... I have both the root CA's and the subordinate CA's certificates ...
    (microsoft.public.inetserver.iis.security)
  • Certificate Question
    ... You have to have a root CA and a subordinate CA. ... The issuing CA is the subordinate. ... >be using eTokens side by side with certificates for 2 ...
    (microsoft.public.win2000.security)