Re: Demote Root CA to subordinate - lose existing certs?

Answers inline...
"CH" <CH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B9EED903-AA21-468E-9018-81F7C63AC8A1@xxxxxxxxxxxxxxxx
Thank you Brian.

What's the correct sequence to follow? Do I :
1. Uninstall CS on the "root-to-be-demoted". then
2. Reinstall CS on same machine, selecting as an EntSubCA, then
3. Run "certutil -dcinfo deleteall" ?


This would be the correct order.

Or do I run the deleteall before uninstalling CS?
Nope, since this instigates a re-enrollment. Wait until you have your subca available.

Can I control which CA will issue the new DC certs?
You should publish the Domain Controller and Domain Controller Authentication certs at the subCA only.

I'd prefer they come off the new SubCA, rather than the single RootCA that
is to remain (ie subs do all the issuing).

Following best practices, the root CA would be an offline, standalone CA and would never be on the network to issue DC certs


Thanks again,
Cam


"Brian Komar (MVP)" wrote:

You will have to reinstall and replace the DC certificates.
But, this is easy.
certutil -dcinfo deletebad
(after the last CRL is expired)
Alternatively, run "certutil -dcinfo deleteall"
This will cause all DCs in the domain to replace their DC cert with an
updated certificate
Brian

"CH" <CH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C1593307-FF0A-4801-BF17-F6B344FA26EF@xxxxxxxxxxxxxxxx
> With my limited understanding of Certificate Services (until now -
> hopefully
> I'm learning!), I realize that sometime in the past I have created
> multiple
> Enterprise Root CAs in the organisation. I have now read that this is > OK,
> but not desirable.
>
> I'd like now to demote one rootCA back to an Ent Subordinate CA and > retain
> a
> single RootCA, and I'm guessing this is going to involve uninstalling
> CertSvc
> and reinstalling on the machine being "demoted".
>
> My big concern is the existing certs that have already been issued by > that
> CA - apart from it's own, it has issued Dom Controller certs for > another 4
> DCs.
>
> How best can I handle this?
> Can I uninstall/reinstall CertSvc without affecting the DCs who have > certs
> issued by this machine?
>
> Any help would be much appreciated,
> Cam



.

Relevant Pages

  • Re: Demote Root CA to subordinate - lose existing certs?
    ... Reinstall CS on same machine, selecting as an EntSubCA, then ... Or do I run the deleteall before uninstalling CS? ... Can I control which CA will issue the new DC certs? ... This will cause all DCs in the domain to replace their DC cert with an ...
    (microsoft.public.windows.server.security)
  • RE: Move Ent. Certificate Authority from DC and keep certs
    ... I did not clearly state in my last post that we have two DCs in this forest. ... sounds like we will need to demote DC1 before taking it offline and bringing ... Certificate Authority from DC and keep certs ... > rebuild the hardware for different production server roles. ...
    (microsoft.public.windows.server.migration)
  • Demote Root CA to subordinate - lose existing certs?
    ... single RootCA, and I'm guessing this is going to involve uninstalling CertSvc ... CA - apart from it's own, it has issued Dom Controller certs for another 4 ... Can I uninstall/reinstall CertSvc without affecting the DCs who have certs ...
    (microsoft.public.windows.server.security)
  • Admin did not activate prod. server
    ... If I reinstall will it overwrite the ... certs and registry keys? ...
    (microsoft.public.windows.server.setup)
  • Re: enabling LDAP over SSL: Enterprise CA in separate AD tree
    ... - What DCs have certs ... What certs each DC has ... I've run certutil. ... In domain B I see an enterprise root certificate ...
    (microsoft.public.windows.server.security)