ROOT CA Key renewal
Hi,I have Standalone Root CA. I want to renew it's key but I want to use different CSP. Is ir possible at all? because when I try to renew the CA's key - the same CSP is used everytime and I have no choice to select different one. I want such a change because I want to place my CA's private keys on the HSM which uses different CSP.Thanks.
May 7th, 2009 10:30am
Hi,
Thank you for your post.
We cannot change the CSP when we renew CA certificate. To migrate CAs private key to an HSM, you can refer to Brains suggestions in the following thread:
CA cert renewal and change CSP
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/bd7bf42e-b630-488b-ade5-5af5c7544759/
Hope it helps.
Free Windows Admin Tool Kit Click here and download it now
May 8th, 2009 1:01pm
As I can see this is not possible :( so sad. Then another question. My PKI hierarchy consists of this offline root ca and online subordinate enterprise windows 2003 ca. Can you give any recommendations and stepsabout migration to exact the same CAs hierachy which use HSMin my domain? Is it possible to have two PKI hierachies in the same single domain?
May 8th, 2009 4:18pm
Hi,
Based on my understanding, you can temporarily have two PKI hierarchies in the same forest. As Brain mentioned, please remove all certificate templates from the old CAs for issuance, and only maintain CRLs. When all the certificates issued from the old CAs expire, we can then retire the old CA hierarchy.
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2009 11:14am
Hi,
Just want to check if the suggestion has helped. Please feel free to let me know if there is anything further I can assist you with.
Have a nice day.
May 15th, 2009 9:23am
Let me get it straight. I have single forest, single domain.So if I'll install additional PKI hierarchy to the same domain - standalone offline root ca and enterprise subordinate ca - will everything be ok with my domain? I do not want something to break in there because of additional PKI hierarchy installation. I'll remove all templates from my old ca before doing any new installations.And if it is safe to install additional pki hierarchy to the same domain - can you give any steps and recommendations about old CA desomissioning from my domain? Thanks.
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2009 9:14am
Hi,
Thank you for your response.
Yes, you can temporarily have two PKI hierarchies in the same forest. I also performed a deep research and found that some HSM vendors have such a tool for transferring an existing private key from a Root CA. Therefore, you can contact the HSM vendor to confirm if there is any better solution.
If you are sure that the new CA hierarchy is working properly and the certificates issued by the old CA hierarchy are not longer used or have expired, you may decommission the old CA from the domain. To do so, you can refer to the following KB article:
How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000
http://support.microsoft.com/kb/889250
Thanks.
May 25th, 2009 6:33am
Hi Rimvydas,Have you tried to ask you HSM vendor? I know that Safenet has a tool that can change the CPS for a MS PKI server if you want to implement af HSM after the initial PKI implamentation.Best Regards,Benjamin
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 11:03am
Ive changed the CSP from MS to Utimaco HSM CSP using instructions/tools from Utimaco.Br, Danieldanielu@avanade
May 26th, 2009 2:30pm
Bendji, yes, I've tried to ask vendor, but they were unable to help with CSP change. They said that there is only one option - CA reinstall with existing key.Daniel, can you elaborate on this in more detail? Because we have Utimaco HSMs too:)
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2009 3:01pm