Hi all, I've a Windows 2003 R2 domain controller with an Enterprise root CA installed. I've to demote that dcpromo so I've to move CA to an other server. Now this old server have issued few certificate 10 certificate (one for each domain controller in my domain) 3 basic EFS to 3 users I've to know the correct procedure, I think this one (give me feedback): 1) decomission old CA http://support.microsoft.com/kb/889250 2) install a new CA into a suitable Windows 2008R2 server I'm missing something?

The only certificates you need to be careful about before decommissioning are the EFS certificates. Once you follow KB 889250 all issued certificates will be invalid and the users having those EFS certificates could be less happy. The general recommendation if you have issued certificate that you need to keep valid is to stop after step 5 and do not continue with step 6 and above! If you can ignore the already issued certificates the KB 889250 and the steps you are outlining are just right! /Hasain

On Thu, 8 Mar 2012 18:48:54 +0000, Hasain Alshakarti [MVP] wrote: The only certificates you need to be careful about before?decommissioning?are the EFS certificates. Once you follow KB 889250 all issued certificates will be invalid and the users having those EFS certificates could be less happy. I'm not sure what you mean when you state that EFS users could be less than happy. Certainly if you follow the entire KB you'd no longer be able to recover private keys that had been archived however contrary to your statement that all certificates would become invalid, that isn't the case for EFS certificates. Users would still be able to use their existing EFS certificate, both for encrypting new files and for decrypting existing files. EFS only does CRL checking in the following 2 situations: 1. When requesting a new EFS certificate against a template that is configured for key archival, the KRA certificate(s) must be valid. 2. When attempting to share an EFS encrypted file with another user, the other users certificate is checked for validity. I can revoke your EFS certificate and as long as someone isn't trying to share an EFS encrypted file with you the revocation will have zero impact on your ability to continue to use the revoked certificate. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca How was Thomas J. Watson buried? 9 edge down.