Strict Standards: Non-static method Settings::setHostName() should not be called statically in C:\website\www.networksteve.com\forum\_lib\AutoConfig.php on line 20

Strict Standards: Non-static method Settings::addHostAlias() should not be called statically in C:\website\www.networksteve.com\forum\_lib\AutoConfig.php on line 22

Strict Standards: Non-static method Settings::setSiteRoot() should not be called statically in C:\website\www.networksteve.com\forum\_lib\AutoConfig.php on line 28

Strict Standards: Non-static method Settings::setDsn() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 16

Strict Standards: Non-static method Settings::setTitle() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 19

Strict Standards: Non-static method Settings::setDescription() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 20

Strict Standards: Non-static method Settings::setSiteRoot() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 24

Strict Standards: Non-static method Settings::setShowDeleted() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 31

Strict Standards: Non-static method Settings::setRecentTopicsDuration() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 36

Strict Standards: Non-static method Settings::test() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 28

Strict Standards: Non-static method Skin::test() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 29

Strict Standards: Non-static method Settings::getSkin() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 102

Strict Standards: Non-static method Settings::getSiteRoot() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 32

Strict Standards: Non-static method Settings::getDsn() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 35

Strict Standards: Non-static method Form::field() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 39

Strict Standards: Non-static method Form::fieldExists() should not be called statically, assuming $this from incompatible context in C:\website\www.networksteve.com\forum\_lib\Entity\User.php on line 92

Strict Standards: Non-static method Form::fieldExists() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 15

Strict Standards: Non-static method Form::field() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 17

Strict Standards: Non-static method Settings::getShowDeleted() should not be called statically, assuming $this from incompatible context in C:\website\www.networksteve.com\forum\_lib\Entity\Topic.php on line 138

Strict Standards: Non-static method Entity_Post::queryPosts() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 21

Strict Standards: Non-static method Settings::getShowDeleted() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Entity\Post.php on line 111

Strict Standards: Non-static method Skin::showHeader() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 23

Strict Standards: Non-static method Skin::includeFile() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 46

Strict Standards: Non-static method Settings::getSkin() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 91
Active Directory Certificate Services (Network Steve Forum)
Active Directory Certificate Services
Hi Guys, I have a customer who has a Windows Server 2003 Certificate Authority. There is a root server and one issuing server. Both run Windows Server 2003 Standard Edition I want to put in a more secure and scalable PKI Infrastructure. They want to primarily use the CA for Computer Certificates for a wireless network. Looking on their system today, they also have EFS, Domain Controller, IPSEC and Web Certs (Lync and Exchange). My planned implementation is to have Windows Server 2008 R2 Datacenter (as they are licensed for it) implemented in the following fashion: RootCA (Standalone, 10 Years, 2048 key, Offline) Issuing01 (Enterprise, 5 Years, 1024 Key, Online, CRL) - For User Certs Issuing02 (Enterprise, 5 Years, 1024 Key, Online, CRL) - For Computer Certs How would I go about going from the Windows Server 2003 Hierarchy to the new hierarchy? I assume I would backup and restore somehow but my current Root CA is Enterprise and Online. I want the new Root CA to be standalone and offline. Also I assume I would need to keep the server names the same? Any help would be appreciated!
April 8th, 2012 11:16am

It seems like you want to replace an existing PKI with a new PKI in the same domain. if so, you might find these two articles of assistance: http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx I think you can safely go for a root certificate validity period of 20 years and an issuing certificate validity period of 10 years or more, but it depends on the policies for the PKI. The key length for the issuing CAs could also probably be 2048, again unless there are specific policy reasons why a 2048 bit key length cannot be used. Steve G
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2012 11:31am

Thanks for that I was going to go with the below procedure: What do you think? Backup current Windows Server 2003 PKI Infrastructure.Analyse current Windows Server 2003 PKI Infrastructure and document current certificate uses. (Include a list of Certificates that can be revoked)Install 3 x Windows Server 2008 R2 SP1 Datacentre Edition onto existing Virtual Infrastructure with all Operating System patchesConfigure new Root CA Server with Active Directory Certificate Services in Standalone modeConfigure new Root CA with a Certificate Key length of 4096 and validity of 20 yearsExport Trusted Root Certificate for Enterprise Servers and Clients to useImport Trusted Root Certificate onto new Issuing Certificate ServersConfigure 2 x new Issuing Certificate Servers in Enterprise ModeConfigure new Issuing CAs with a Certificate Key length of 2048 and validity of 10 yearsDisable AutoEnrollment on Issuing CAsCreate new AIA and CDP Distribution points for new PKI.Remove Certificate Templates from Windows Server 2003Stop and Disable Certificate Services on Root and Issuing CA Servers in the existing Windows Server 2003 environment.Enable AutoEnrollment on Windows Server 2008 Issuing CAsRe-enrol certificate holders for templates (This will reissue automatically enrolled certificates) Manually update existing certificates that were manually requested (eg Exchange, Lync and OCS)Configure Certificate Revocation Lists on Issuing Servers
April 8th, 2012 12:25pm

Would that work guys? :-)
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2012 2:04pm

If you follow the instructions in the second article, you should be fine. However, I would recommend gaining some experience with the process by running through it in a lab. I see you have specified a 4096 bit key length for the root CA. Make sure that everything you plan to issue a certificate to can handle a 4096 bit key. There are some instances of older equipment, a Cisco VPN 3000 for example, that cannot handle a 4096 bit key length. Steve G
April 9th, 2012 12:04am


Strict Standards: Non-static method Settings::getRecentTopicsLimit() should not be called statically, assuming $this from incompatible context in C:\website\www.networksteve.com\forum\_lib\Entity\Topic.php on line 120

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics

Strict Standards: Non-static method Skin::showFooter() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 119

Strict Standards: Non-static method Skin::includeFile() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 56

Strict Standards: Non-static method Settings::getSkin() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 91