Hello, I think that I know the answer to this question, but I guess that I just want to get confirmation and a little advice. We have Certificate Services installed on a Server 2003 R2 machine and it was installed a couple of years ago before our company was bought, had a slight name change and changed location. I would like to update the Subject information for the root CA, but I don't see any way to do that. From reading on here, it looks like I'm going to have to uninstall and reinstall the Certificate Services. Is this correct? It looks like our developers have requested a ton of certificates from this CA. I'm not sure what they're using them for (perhaps a change which I could make upon a re-install :) ), but what happens to all of the certificates which they have been issued? Are they then invalid? I'm just trying to gauge how bad I would mess them up if I have to uninstall and reinstall Certificate Services. Thanks for any help and advice that anyone can offer. Regards, John

Sorry to say, but if you want to change the subject field of the root certificate you have to install a new root ca. So to some good news. As loong as the root certificate is still valid you don't have to do anything with the issued certificates. Let them live out their lifetime, when they expire issue new ones from the new CA. Just some pointers for this to work (as you only mention a root CA and no subordinate), the root certificate has to remain out on the clients for the certificates to be valid. Also you have to let the old root CA live til all certificates issued by it has expired, and the root has to issue CRL's the whole time for the certificates to work. When the last certificate from the old chain has expired, you can retire the whole thing. When you install the new CA, then this certificate has to be distribued to the client also (automatic if the CA is an Enterprise CA). Then you can start issuing new certificates from this chain. No worries. It will be slightly more difficult if there is a subordinate chained to the root. But with some planning this is also managable. Regards Morten

Darn. I thought that that would be the case. Let me see if I'm understanding you correctly. If I want the existing certificates to work, I have to leave the existing root CA running until its certificate expires, at which point I can get rid of it. Since its certificate is not set to expire until 2015, if I want to change the information now, I will probably need to set up another root CA with the correct information and start issuing certificates from it in the meantime. Is that pretty much how things would need to be done? At the same time, I'm finding out from the developers how they use the certificates. If they can just get new certificates, I would prefer to blow away the old CA now and set up the new one. Let me know what you think. Thanks for your help and for responding to my question. Regards, John

Yes, that is the gist of it. The best would be to set up the new one and replace the active certificates as fast as possible. When you want to take down the old, just uninstall it. You also have to do some manual removal of the old certificates. This can be done with pkiview.msc, just right click the top node and choose manage AD containers. Just go into every container and delete everything that is tied to the old CA. PKI is not the easiest thing in the world to work with, it throws fits and tantrums in the begining. Once everything is sorted and configured right it usually just keeps on running. That is until some of the certificates starts to run out that is ;) Regards Morten

Morten, Thanks for all of your help. You gave very clear and helpful instructions. Regards, John