Hello, i suggest to ask in the security forum: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I wonder how I can re-setup a PKI enterprise infrastructure in our company given the following situation. - There is a root CA which has been setup once trusted a later SubCA in order to issue certificates. - The SubCA was setup as a AD-integrated Enterprise PKI - I'd like to start from scratch mainly becasue back then some mistakes have been made like wrong url for CRL in the Root CA. also the SubCA will be removed completely sooner or alter since it's an outdated w2k3 SBS Domain Controller which got additional w2k8r2 DC's meanwhile. Just waiting to remove the Certificate Server Role from that w2k3 SBS before I can remote the server completely, trnasfering FSMO roles etc... However, we don't heavily relly on the PKI, we mainly just automatically issue user and computer SSL certificates (which we dont use actually), some self-signed web-server and other certificates like Exchange 2010 OWA/SMTP... etc. What are the main issues I have to consider if I want to re-install a new RootCA + SubCA from scrach, but then also remove the yet running SubCA which isenterprise AD-integrated and runing on that w2k3 SBS server. How would my Domain incl. it's members or exchange behave once the issuing authority of their certificates is not anymore? Will they survice a few days while I can re-issue new certificates like for web-services and exchange 2010 by the new CA? Thanks, Dieter

Yon can install the new PKI structure before removing the old one. This way you can transfer one service at a time to the new PKI and remove the old PKI structure when all transfer is done. Just remove all templates from the old enterprise CA and add theme to the new CA to prevent any further usage of the old CA. You can follow the KB889250 to decommission your enterprise CA http://support.microsoft.com/kb/889250 and then remove the root CA trust. /Hasain

Thanks, what services need to be transferred. Your link is very useful to me, but it just tells me how to remove the CA, nothing about eventually transferring some services to a new CA. Still, all issued certificates by the old CA, will become invalid a certain point, will this screw up anything in my infrastructure? As I said, we are just running some automatically created client pc and user certificates (which I don't if we do anything with them), a Exchange 2010 SMTP certificate which has nothing to do with the enterprise CA, it's just a self-signed certificate and some web-service certificates. What will happen to these once they are revoked because I have to delete the enterprise CA? I can live with the fact that some SSL certificate warnings show up for a while, as long it's not like some services will completely fail ... Also, you said I can install the new PKI structure before removing the old one, this was what I planned to do anyway. It will be a RootCA which will be taken offline after a while and a trusted SubCA which I will use for issuing certificates... The root CA has nothing to do with the Active Directory. But the SubCA will be a enterprise CA, can I have two trusted CA's for a while? Since I have to install the second CA, trust it to my domain and only after that starting to remove the old CA? I am not sure how the installation process is, but I am assuming once I select that I want to setup a enterprise CA I have to specify the Active Directory domain in charge? At this point I can imagine that it comes down to a conflict since there is already a enterprise CA trusted by this domain. Dieter

See if these help: HOWTO: Move a certificate authority to a new server running on a 2003 or 2008 CA, Standard or Enterprise http://directoryservicesconsulting.ca/index.php/2009/04/17/howto-move-a-certificate-authority-to-a-new-server-running-on-a-domain-controller/ HOWTO: Move a certificate authority to a new server running on a domain controller (2003). http://support.microsoft.com/?id=555012 To make it easier, you can possibly keep the old certs on the workstations. After you remove the old CA and install the new one, you can still use autoenrollment to hand out the new certs. Configure Certificate Autoenrollment http://technet.microsoft.com/en-us/library/cc731522.aspx Hope that helps, AceAce Fekay MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php This posting is provided AS-IS with no warranties or guarantees and confers no rights.

what services need to be transferred... can I have two trusted CA's for a while? By service transfer I refer to any services using the old PKI, any web server och authentication system etc.. you need to migrate/transfer these systems to begin using the new PKI by issuing new sets of certificates and establishing a trust to the new CAs. If you wait with decommissioning of the old CAs untill all systems using certificates completely moved to the new CAs not screw ups are necessary! Yes you can have multiple enterprise CAs and CA trusts in AD without any problems or conflicts. /Hasain