How to install a new Enterprise Root Certificate Authority to replace an old one?
Erik
We have an Enterprise Root Certificate Authority on an old W2k domain
controller that will be decommissioned and replaced with a new Windows
Server 2003 DC with a different name.
From what I've read on Google and on Microsoft there is no way of moving an
Enterprise Root CA to this new server (since apparently Enterprise CAs can't
be moved to a computer with a different name).
So, I've read in a post that I can should uninstall the old CA and install a
NEW Root Enterprise CA on the new DC.
The question is if this is as easy at is sounds or if there are any hidden
pitfalls...? Obviously I'd like the transition to be as easy as possible
both for me and for the users.
Environment: We have a single native W2k AD domain in the process of
becoming a W2k3. Less than 50 clients. Our old CA has been used fairly
little:
* A couple of Code Signing certificates for signing only a few files (used
internally).
* A cert used for SSL/TSL to secure IMAP sessions to our mail server.
* In addition there are few certificates that has been automatically created
(?) for each DC in the domain.
I'm planning on doing the following:
1. Revoke all certificates on the old CA (with the reason "Cease of
operation" as it says in the W2k documentatation).
2. Should I then wait a week (the publication interval is 1 week) so that
the CRL (Certification Revocation List) has been expired on all clients? Is
this needed?
3. Then uninstall the CA on the old computer. How will this affect my
clients? (the use of the certs are described above).
4. Install a new Enterprise Root CA on the new DC.
5. Re-create the certificates and use the new ones for signing the files,
and for the SSL connection used at the mail server.
Is the order important when uninstalling the old and installing the new CA?
Or can I install the NEW CA now, before uninstalling the old??
Sorry for the long post but I wanted to include all the details!
/ Erik
Bob Qin [MSFT]
Thanks for your posting here.
To move a CA from Windows 2000 Server to Windows Server 2003, you can first
upgrade the CA server that is running Windows 2000 Server to Windows Server
2003, and then follow the steps that are outlined in this article.
298138 HOW TO: Move a Certification Authority to Another Server
http://support.microsoft.com/?id=298138
Have a nice day!
Regards,
Bob Qin
Product Support Services
Microsoft Corporation
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Erik
Yes, I saw that KB-article, but from what I read on google it won't help me
because apparently an Enterprise CA cannot be moved to a server with a
different name. See the following post by David Cross [MS]
(dcr...@online.microsoft.com) in the thread "Migration of Certificate
Authority from Windows 2000 Server to Windows 2003 Server" in
microsoft.public.win2000.security from 2003-09-17.
> Unfortuately you cannot change the name of the CA if it is an enterprise
CA.
> Hence, you will not be able to move it to a new machine with a different
> name nor a new DC. You are much better off installing a new CA and
> sunsetting the old one.
Buf of course, if David Cross' post is INCORRECT I can upgrade the old DC to
w2k3 and then transfer the Enterprise CA to the new DC, but I'd rather not
start doing this unless I know it will work.
But IF indeed Enterprise CAs cannot be moved to a different DC my original
questions on exactly how to install a completely new Enterprise CA and
"sunsetting" the old one still holds (please see my original post).
/ Erik
"Bob Qin [MSFT]" <bob...@online.microsoft.com> wrote in message
news:N8Brq$PKEH...@cpmsftngxa10.phx.gbl...
Bob Qin [MSFT]
Yes, the new server must have the same name as the outdated server because
the server name information is part of the Authority Information Access
(AIA) and CRL distribution point paths of all previously issued
certificates. In addition, the database and log-file paths must be the same
on both the new and outdated servers.
You can try these steps.
Upgrade Windows 2000 DC to Windows Server 2003
Backup the Certification Authority Keys and Database
Demote the Windows 2003 DC
Install a new Windows 2003 DC using the original name and promote it to a
DC
Restore the Certification Authority Keys and Database
Wish it helps.
Erik
Sadly, that solution isn't really practical for me (I've already setup the
new DC with a different name and moved lots of stuff from the old DC to it,
and besides I don't want to keep the old name around! :=) ).
So back again to my original questions:
Can I install a second Root Enterprise CA in the domain in parallel with the
old CA?
Or must I uninstall the first CA first?
And in both cases, how does it affect my clients, or rather, how do I make
the inpact as little as possible? (These questions are more elaborated in
my original post in this thread).
/ Erik
"Bob Qin [MSFT]" <bob...@online.microsoft.com> wrote in message
news:zRN%23jpRK...@cpmsftngxa10.phx.gbl...
Brian Komar
Brian
In article <uH94S0RK...@TK2MSFTNGP11.phx.gbl>,
umetr...@umetrics.com says...
> Thanks again,
>
> Sadly, that solution isn't really practical for me (I've already setup the
> new DC with a different name and moved lots of stuff from the old DC to it,
> and besides I don't want to keep the old name around! :=) ).
>
> So back again to my original questions:
>
> Can I install a second Root Enterprise CA in the domain in parallel with the
> old CA?
Yes, this is just another root CA in the organization, that will use the
same certificate templates available in the Configuration naming
context. When you install the new root CA, information will be added to
the AIA, CDP and Certificate Services containers in the following
location: CN=Public Key
Services,CN=Services,CN=Configuration,ForestRootDomainLDAPName
> Or must I uninstall the first CA first?
The order does not really matter except that you should clean the old CA
references out of the Configuration NC. What I recommend is to use the
PKi Health Tool from the 2003 Resource Kit (pkiview.msc). You can then
view each container, and delete the old certs and CRLs from the
Configuration NC.
>
> And in both cases, how does it affect my clients, or rather, how do I make
> the inpact as little as possible? (These questions are more elaborated in
> my original post in this thread).
>
The impact will be that all old certs are dead/gone/toast. You should
plan for the immediate deployment of required certificates. Once you
uninstall or remove the old CA, all certificate validation will break
down at the next CRL publish interval for the old CA.
> / Erik
>
<snip>
Brian Komar
Along with my other response some more answers inline.
Brian
<snip>
>
> From what I've read on Google and on Microsoft there is no way of moving an
> Enterprise Root CA to this new server (since apparently Enterprise CAs can't
> be moved to a computer with a different name).
>
>
Not with a new name...
>
> So, I've read in a post that I can should uninstall the old CA and install a
> NEW Root Enterprise CA on the new DC.
>
I would not recommend installing a CA on a DC at any time. It is better
to use a dedicated machine for the CA.
>
> The question is if this is as easy at is sounds or if there are any hidden
> pitfalls...? Obviously I'd like the transition to be as easy as possible
> both for me and for the users.
>
>
The biggest issue will be the need to redeploy all certs. The old certs
are gone once you remove the old CA, as there will be no updated CRLs.
>
> Environment: We have a single native W2k AD domain in the process of
> becoming a W2k3. Less than 50 clients. Our old CA has been used fairly
> little:
>
>
>
> * A couple of Code Signing certificates for signing only a few files (used
> internally).
>
You will have to resign the files with a new valid cert.
> * A cert used for SSL/TSL to secure IMAP sessions to our mail server.
>
Need a new cert here.
> * In addition there are few certificates that has been automatically created
> (?) for each DC in the domain.
>
>
Ditto on these ones.
>
> I'm planning on doing the following:
>
>
>
> 1. Revoke all certificates on the old CA (with the reason "Cease of
> operation" as it says in the W2k documentatation).
>
That is fine, but to be honest, once you remove the old CA, the certs
will fail revocation checking at teh next CRL publication, as a current
CRL will no longer be available.
2. Should I then wait a week (the publication interval is 1 week) so
that the CRL (Certification Revocation List) has been expired on all
clients? Is this needed?
Once you remove the CA, the certs can no longer be verified. You really
do not have to wait the week...
3. Then uninstall the CA on the old computer. How will this affect my
clients? (the use of the certs are described above).
As I said earlier, once you remove the CA, there are no more updates to
the CRL, so all CRL checking will fail.
4. Install a new Enterprise Root CA on the new DC.
You can even do this beforehand. I would probably recommend setting
this up beforehand, and getting the replacement certificates deployed.
This will result in a smoother transition.
5. Re-create the certificates and use the new ones for signing the
files, and for the SSL connection used at the mail server.
You do not have to re-create any certificate templates. Certificate
templates are a forest-wide object, not tied to a specific enterprise
CA.
Brian
Erik
I have now installed the new CA and deployed most of the new certificates.
All is going well. Thanks again!
/ Erik
"Brian Komar" <bko...@nospam.komarconsulting.com> wrote in message
news:MPG.1af4964bf...@msnews.microsoft.com...