CA Retirement/Migration and Certificate Template Supercedence
Hi guys,
We are near the end of a migration from one PKI chain to another within the same forest. To complete the migration I would like to retire the old CA's entirely rather than "age them out" - currently the CA is not issuing any certificates but
it's CRL is still in use and is valid until mid-2013.
I was wondering whether I would be able to supercede the templates in use - specifically client (Computer templates) used for Wireless authentication - and thus trigger enrolement by all clients for new certificates issued by CA's in the new chain.
Would this revoke/invalidate existing certificates and thus break wifi connections, or would current certificates still be valid whilst clients enrolled for the new certificate using the new template?
Any thoughts/suggetsions appreciated - hopefully the above makes sense.... thanks :)MCTS 70-640 | MCTS 70-642 | Prince2 Practitioner| ITIL Foundation v3 | http://www.cb-net.co.uk
July 12th, 2012 11:05am
Superseding will cause the client to delete or archive the old certificate and replace it with a new one based on the new template.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2012 12:00pm
Superseding will cause the client to delete or archive the old certificate and replace it with a new one based on the new template.
/Hasain
So the client will keep the current certificate (i.e. the CA will not revoke it) until it is able to request a new certificate? Thus not affecting wireless connectivity that is using the current certificates?MCTS 70-640 | MCTS 70-642 | Prince2 Practitioner| ITIL Foundation v3 | http://www.cb-net.co.uk
July 12th, 2012 12:02pm
Yes, the old certificate will be kept until the new request has been completed successfully!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2012 1:56pm
Yes, the old certificate will be kept until the new request has been completed successfully!
/Hasain
July 12th, 2012 2:06pm