New internal CA
I had an old internal enterprise CA1 that issued computer certificates and some domain controller certificates.
Now i installed a brand new enterprise CA2 with new key etc.
I removed all certificate templates from CA1 and added them to CA2
Now i see clients getting new Computer certificates from CA2 but Domain Controllers are not trying to get new certificates.
Am i or is my domain in danger when i turn off CA1 ?
What are the best steps i can do now, i cannot use Reenroll All Certificate Holders cause its the Computer template
August 22nd, 2012 12:14pm
It looks like that DC certificates are still valid. Once they become invalid, DCs should reeneroll certificates from a new CA.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2012 1:16pm
ok but DC certificates are still valid for 1 year :) and we dont want to keep that CA1 role and server on that long :)
can i safely turn off CA1 and will DC then enroll for certificate from CA2?
August 22nd, 2012 1:19pm
I would recommend to explicitly delete existing certificates from DCs and run 'certutil -pulse' on them to immediately reenroll certificates.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2012 2:17pm
I would recommend to explicitly delete existing certificates from DCs and run 'certutil -pulse' on them to immediately reenroll certificates.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
August 22nd, 2012 2:21pm
i have 2 dc and dont the following
i kept the old certificate and looked which certificates (from certificate template) from old CA were issued
i then manually enrolled for the same types of certificates (from certificate template issued from old CA)
so when i look in computer cert store i see now
issued to -issued by -intended purposes -
certificate template
server01 - CA1 - client authentication, server authentication - computer
server01 - CA2 - client authentication, server authentication - computer
server01 - CA1 - directory service email replication -
directory email replication
server01 - CA2 - directory service email replication -
directory email replication
server01 - CA1 - client authentication, server authentication, smart card logon -
domain controller authentication
server01 - CA1 - client authentication, server authentication, smart card logon -
domain controller authentication
So i can now safely delete the certs issued by CA1?
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2012 3:32pm
someone can help me out if i can safely delete the certs issued by the old ca?
thanks in advantage
August 23rd, 2012 3:30pm
really no one that can help me out, or point me in a direction , if i can safely delete those certs issued by the old CA on the domain controllers?
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2012 4:08am
please, read my last post.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
August 24th, 2012 10:05am