Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Moving Enterprise Root CA

0 views
Skip to first unread message

Richard Gadsden

unread,
Mar 22, 2007, 11:05:43 AM3/22/07
to
I have an enterprise root CA on a Windows Server 2003 Standard Edition
server.

I have (finally) got the budget to put Windows Server 2003 Enterprise
Edition in, but it will have to be on another server - and the previous
server cannot be taken out of service or renamed.

I'm trying to think through my options to migrate it. What seems to
make sense to me is:

1. Export the Root CA certificate

2. Set up a Stand-Alone Root CA using the exported certificate - on a
server that can then be taken offline (probably a virtual one, unless
someone has a good reason that a root CA can't be on a virtual server).

3. Create a new Subordinate Enterprise CA on the new Enterprise Edition
server, subordinated from the new Root CA

4. Take the new Root CA off-line

5. Remove the old Enterprise Root CA and tell the domain to use the new
Subordinate Enterprise CA

Does that make sense, and are there any tricks I'm missing?

--
Richard Gadsden richard...@cobbetts.co.uk
Nothing in this message is, or should be taken to be, representative
of the views of Cobbetts LLP

Ray

unread,
Mar 22, 2007, 3:49:29 PM3/22/07
to
Everything should be OK if you keep the name of new server same as that of
old server

--
Ray

MCSE+Internet, MCDBA, MCP

"Richard Gadsden" <richard...@cobbetts.co.uk> wrote in message
news:%23RzqROJ...@TK2MSFTNGP06.phx.gbl...

Richard Gadsden

unread,
Mar 27, 2007, 8:10:45 AM3/27/07
to
Ray wrote:
>"Richard Gadsden" <richard...@cobbetts.co.uk> wrote in message news:%23RzqROJ...@TK2MSFTNGP06.phx.gbl...
>> I have an enterprise root CA on a Windows Server 2003 Standard Edition server.
>>
>> I have (finally) got the budget to put Windows Server 2003 Enterprise Edition in, but it will have to be on another server - and the previous server cannot be taken out of service or renamed.
>>
>> I'm trying to think through my options to migrate it. What seems to make sense to me is:
>>
>> 1. Export the Root CA certificate
>>
>> 2. Set up a Stand-Alone Root CA using the exported certificate - on a server that can then be taken offline (probably a virtual one, unless someone has a good reason that a root CA can't be on a virtual server).
>>
>> 3. Create a new Subordinate Enterprise CA on the new Enterprise Edition server, subordinated from the new Root CA
>>
>> 4. Take the new Root CA off-line
>>
>> 5. Remove the old Enterprise Root CA and tell the domain to use the new Subordinate Enterprise CA
>>
>> Does that make sense, and are there any tricks I'm missing?
>
> Everything should be OK if you keep the name of new server same as that
> of old server

I can't rename the old server, so the new server will have to have a
different name.

Ray

unread,
Mar 27, 2007, 10:14:51 AM3/27/07
to
Then you will have trouble to move CA.

--
Ray

MCSE+Internet, MCDBA, MCP

"Richard Gadsden" <richard...@cobbetts.co.uk> wrote in message
news:esFH0jGc...@TK2MSFTNGP06.phx.gbl...

Brian Komar [MVP]

unread,
Mar 27, 2007, 3:24:46 PM3/27/07
to
In article <esFH0jGc...@TK2MSFTNGP06.phx.gbl>,
richard...@cobbetts.co.uk says...

> Ray wrote:
> >"Richard Gadsden" <richard...@cobbetts.co.uk> wrote in message news:%23RzqROJ...@TK2MSFTNGP06.phx.gbl...
> >> I have an enterprise root CA on a Windows Server 2003 Standard Edition server.
> >>
> >> I have (finally) got the budget to put Windows Server 2003 Enterprise Edition in, but it will have to be on another server - and the previous server cannot be taken out of service or renamed.
> >>
> >> I'm trying to think through my options to migrate it. What seems to make sense to me is:
> >>
> >> 1. Export the Root CA certificate
> >>
> >> 2. Set up a Stand-Alone Root CA using the exported certificate - on a server that can then be taken offline (probably a virtual one, unless someone has a good reason that a root CA can't be on a virtual server).
> >>
> >> 3. Create a new Subordinate Enterprise CA on the new Enterprise Edition server, subordinated from the new Root CA
> >>
> >> 4. Take the new Root CA off-line
> >>
> >> 5. Remove the old Enterprise Root CA and tell the domain to use the new Subordinate Enterprise CA
> >>
> >> Does that make sense, and are there any tricks I'm missing?
> >
> > Everything should be OK if you keep the name of new server same as that
> > of old server
>
> I can't rename the old server, so the new server will have to have a
> different name.
>
>
You must decommission the old server, build the new
server using the new name, recover the CA, and then
redeploy the old server using the name that you want.

Brian

Richard Gadsden

unread,
Mar 29, 2007, 9:09:17 AM3/29/07
to

Sorry, Brian, I can't do that. (fx: turns off HAL voice).

Really, I can't. Is this really impossible?

The old server is my primary file server, which I stuck the CA on as an
afterthought. If this really is impossible, then can I just decomission
the CA and build a completely new one? I guess that would invalidate
all the certificates, but I could live with that.

Brian Komar [MVP]

unread,
Mar 29, 2007, 9:20:04 AM3/29/07
to
In article <e0QA2Ngc...@TK2MSFTNGP03.phx.gbl>,
richard...@cobbetts.co.uk says...
This is why it is important to *read* the first screen
that appears when you install Certificate Services. You
cannot change the name or the domain membership of the
computer on which you install the enterprise CA".

I hope that you do not have too many certificates
issued. What I recommend is to keep the CA on the
original box, but remove all certificate templates. In
this configuration, you can still maintain the previous
certificates, publish CRLs, and revoke certificates if
necessary, but all future certificates are issued by the
*new* CA that you build.

When the final certificate issued by the old CA expires,
you can then safely decommission the old CA.

This is a much smoother, and less troublesome migration

Brian

0 new messages