I installed a stand alone root CA in October 2003 on a Windows 2000 server. It was mainly to authenticate machines connecting to a L2TP/IPSEC Windows 2000 Server. I also issued a few certificates for websites using SSL. The technicians would use the web enrollment tool to make requests for the pc's to deploy the certificates. They have grown to be over 500 machines right now. The CA root certificate will expire in October 2009 and it will be impossible to have the technicians go around to update 500 pc certificates by the time October comes around. I want to move to a new certificate server using Windows 2003 Enterprise CA so I can automatically enroll computer certificates. My other issue is that our domain consists of only Windows 2000 DC's (10 of them across the country). There is no budget to upgrade these machines in 2009. We MUST wait for 2010. Does anyone have a good strategy I can follow to get all this working? Is there any benefit to using W2k8 Certificate services over w2k3R2? If I renew the current certificate server's CA certificate, will all the certificates that it issued still be valid? Thanks for any help you can offer.

Hi, After renewing a CA certificate, all certificates issued by this CA will remain valid. For more information and instruction, please refer to the article below: Renewing a certification authorityhttp://technet.microsoft.com/en-us/library/cc740209(WS.10).aspx Regarding changes in Windows Server 2008, please refer to this article: Active Directory Certificate Services Rolehttp://technet.microsoft.com/en-us/library/cc753254(WS.10).aspx Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

An issuing CA will never issue a certificate that is valid beyond the date of its own CA certificate: If the CA certificate has 6 months to run and that CAis configured to issue certificates valid for 12 months, it will actually issue a 6 month certificate.Likewise an issuing CA cannot have a CA certificate valid longer than the root CA's CA certificate.So all your certificates will expire in October: you should be albe to confirm this by checking issued certificates.Windows 2000 AD had a mechanism to "auto" enrol certificates for computers in Group Policy ("Automatic Certificate Request Settings") so you should be able to rollout replacement machine certificates. This does not work for user certificates.I do not know if you can use 2003/8 methods for autoenrollment with 2000 AD: Perhaps if the 2003 ForestPrep/DomainPrep updates were made you would get the appropriate Group Policy settings and they would be configurable and effective, but do you want to be trying that just now?Paul

First of all, thanks for the quick replies. I am rebuilding my environment in the lab right now in a virtual environment, therefore I can try any suggestions without fear of breaking something. I can take snapshots and recover any change. It would be interesting to test the following scenario. Renew the CA certificate using the same keys. This would buy me time to go into 2010 so I can migrate my DC's. Use the "Automatic Certificate Request Settings" to replace the expiring certificates with new one's. Q:Does the fact that my CA is stand alone and not AD integrated remove the ability to do so? If that does not work, I was planning to create a new Enterprise W2003 CA, make the forestprep/domainprep and try to distribute certificates across the domain.

1) Renewing iwth the same key or a new key does not matter as the chaining engine is still going to build chains based on which CA certificate was available at the time. The only benefit is that you will only have 1 CRL to manage, not two.As for ACRS, you must have an enterprise CA to issue the certificates. You can deploy a 2k3 CA in a 2k forest, but you need to run FORESTPREP to add the v2 certificate template object and attributes to the forest. ONce you have done that, you can then deploy a 2k3 enterprise CA. May be worth testing in your lab.Brian

Does the Enterprise CA you mention need Windows 2003 Enterprise Edition? Since I can use the w2k domain GPO to create Automatic Certificate Requests, do I even need to run forestprep?

Hi, Certificate autoenrollment is based on the combination of group policy settings and version 2 certificate templates. Only Windows Server 2003 and later system support version 2 templates. For detailed information, please refer to the articles below. Introduction (Certificate Autoenrollment in Windows Server 2003)http://technet.microsoft.com/en-us/library/cc783873(WS.10).aspx Certificate Templates Overviewhttp://technet.microsoft.com/en-us/library/cc730826(WS.10).aspx Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.