Decomission Windows 2003 CA and installa a new one on a Windows 2008R2
Hi all,
I've a Windows 2003 R2 domain controller with an Enterprise root CA installed. I've to demote that dcpromo so I've to move CA to an other server. Now this old server have issued few certificate
10 certificate (one for each domain controller in my domain)
3 basic EFS to 3 users
I've to know the correct procedure, I think this one (give me feedback):
1) decomission old CA http://support.microsoft.com/kb/889250
2) install a new CA into a suitable Windows 2008R2 server
I'm missing something?
March 8th, 2012 3:50am
The only certificates you need to be careful about before decommissioning are the EFS certificates. Once you follow KB 889250 all issued certificates will be invalid and the users having those EFS certificates could be less happy.
The general recommendation if you have issued certificate that you need to keep valid is to stop after step 5 and do not continue with step 6 and above!
If you can ignore the already issued certificates the KB 889250 and the steps you are outlining are just right!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2012 1:48pm
On Thu, 8 Mar 2012 18:48:54 +0000, Hasain Alshakarti [MVP] wrote:
The only certificates you need to be careful about before?decommissioning?are the EFS certificates. Once you follow KB 889250 all issued certificates will be invalid and the users having those EFS certificates could be less happy.
I'm not sure what you mean when you state that EFS users could be less than
happy. Certainly if you follow the entire KB you'd no longer be able to
recover private keys that had been archived however contrary to your
statement that all certificates would become invalid, that isn't the case
for EFS certificates. Users would still be able to use their existing EFS
certificate, both for encrypting new files and for decrypting existing
files. EFS only does CRL checking in the following 2 situations:
1. When requesting a new EFS certificate against a template that is
configured for key archival, the KRA certificate(s) must be valid.
2. When attempting to share an EFS encrypted file with another user, the
other users certificate is checked for validity.
I can revoke your EFS certificate and as long as someone isn't trying to
share an EFS encrypted file with you the revocation will have zero impact
on your ability to continue to use the revoked certificate.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
How was Thomas J. Watson buried? 9 edge down.
March 8th, 2012 1:57pm