Remove CA on windows 2003 DC and create a new PKI from windows 2008 x64
I have read and been through tons of links but none of them answer me fully. I have a enterprise root CA in a windows 2003 DC. I would like to create a new PKI in windows 2008 x64. This is what I plan to have - one standalone root CA and one enterprise CA which will also be issuing CA. In one of the forums, I had asked if I could install the new PKI without decommissioning the old CA. Then have the users use the new CA certs and then decommission the old root CA. I was told that I could have two root CAs in an environment. But one of the articles that I read mentioned that if I install a new enterprise CA then it could overwrite the settings of the old enterprise CA in the active directory. If anyone has done this, can you please advise on how to go about it? This has been a stone in my shoe for a while now.
March 10th, 2011 7:42pm

If I understand your issue correctly, then it can certainly be done. There is no technical limitation on a single enterprise CA, but it can cause a bit of confusion. The key is to build the new PKI environment and make sure that it is published and working correctly from a pkiview perspective. Once that has been done, you should deploy the CA to your machines via GPO. When the new servers are properly distributed, you can add the existing templates to the new server (please remove any templates you have no intention on using). Remove all templates from the legacy server to prevent it from issuing any new certificates and leave it running to have it maintain the revocation information.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2011 12:44am

So while my current enterprise root CA (windows 2003 32 bit) is in production, I can go ahead and create: 1. A standalone root CA (windows 2008 x64) with a different name 2. An enterprise intermediate CA (windows 2008 x 64) After this, what is the process to decommission the 2003 CA and transition to 2008 CA? Thank you for you response.
March 14th, 2011 11:18pm

To decommission the old CA, you will need to remove ('delete') the templates from the old server. This will prevent the creation of new certificates. Also, by leaving the old server up, you will be automatically maintaining AD revocation information. You should then make the certificate templates available on the new server and validate that they still function as intended.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2011 2:52pm

Last question...my domain controllers are all 2003 (32 bit) and domain functional level is 2003. Will that create any issue when trying to install 2008 x64 CA?
March 16th, 2011 11:40pm

Your domain would simply need to have the Windows Server 2008 schema extensions and preparations (preferrably R2) so that you can install the new CA. You would not need to have a Windows Server 2008+ DC.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2011 4:44pm

I installed a standalone root CA in windows 2008 x64 enterprise edition with just the Certificate Authority component. After the install, I saw one error and one warning. Error was: Event 74 Active Directory Certificate Services could not publish a Base CRL for Key0 to the following location on server domaincontroller.domain.local:ldap//CN=certAuthorityServer,CN=CertAuthorityServer,CN=CDP, CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=local. Directory object not found. And the warning was: Event103 Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "ldap:///CN=certAuthorityServer,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=local?cACertificate?base?objectClass=certificationAuthority" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root. Not sure what to do next now. Is the error common because it is a standalone root CA and will not integrate with AD??
March 19th, 2011 12:51am

Forgot to mention that the standalone root CA that was created is a member of the domain. When going through 70-298 prep it mentioned that standalone root CA can or cannot be member of a domain. Is this where I missed?? If so, how do I correct it? I may need to uninstall this newly created standalone root CA, get rid of its entries in active directory (it is listed in public services folder in active directory sites) and then try to create a new standalone... Can someone please help?
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2011 5:36am

The stand alone root should not be a domain member and should not be connected to the network. One of the primary reasons to do a stand alone root is to position the PKI hierarchy outside of a domain security boundary. Additionally, these servers generally have very long revocation list refresh (6-12 months on average). Between the times that the machine will need to issue new revocation lists it is common to power the machines down. So, unfortunately I believe that you will need to rebuild the CA environment. When you build the new root, you will need to use the certutil -addstore and -dspublish commands to publish the AIA and CDP information to AD. I'm sure this is not the answer that you were hoping for...fr3dd
March 23rd, 2011 5:33pm

Thanks for your response. I ended up uninstalling the CA. Deleted objects from Public Key Services folders in active directory. Created a new server and installed a standalone root CA. No errors this time. I plan to install an enterprise intermediate now which willl also be my issuing CA. Do I need to certutil -addstore and -dsplublish the standalone root CA if I plan to take it offline and use intermediate issuing CA instead? The old enterprise root CA is still in production. In the above post you mention "When the new servers are properly distributed, you can add the existing templates to the new server (please remove any templates you have no intention on using). Remove all templates from the legacy server to prevent it from issuing any new certificates and leave it running to have it maintain the revocation information" When enterprise CA is installed, does it look into AD for existing template and import those templates? If so, wouldn't those templates be something that was published by the old/legacy CA that I plan to get rid of? And is there a procedure to disable the templates on the legacy?
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2011 6:29pm

I did the following: dsutil -f certfile.crt dsutil -f crllist.crl The second command this error: CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) CertUtil: A referral was returned from the server. So I went ahead and did as was suggested in http://technet.microsoft.com/en-us/library/cc737740%28WS.10%29.aspx. After this it said Base CRL added to DS store and CertUtil: -dsPublish command completed successfully. Then I went ahead and installed enterprise intermediate CA. However, it was offline when it finished. The cert request was submitted to the standalone CA. It issued a certificate but found out that it was valid for 1 year only. So I revoked this issued certificate. Changed ValidityPeriodUnits to my choice of liking. Issued a new CRL and did certutil -dspublish thenewcrl. Then submitted a new request (using the same req file as before) and issued a certificate to intermediate CA. When installing this cert on intermed CA it shouted saying the chain could not be verified and whether to continue. I said yes. Then when trying to start the service it says "The revocation function was unable to check revocation because the revocation server was offline"
March 24th, 2011 12:54am

If the subauthority was working properly, then you should have simply renewed the CA certificate. The original request file is tied to the revoked certificate on the root and that is why you are seeing an error. At this point, you might want to remove all references to the subauthority from AD, uninstall the role and reinstall it.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2011 6:32pm

Removed everything and did it. Seemed to work fine. But then the integrity of the certificate could not be guaranteed on the windows 2003 domain controller. So, re-did it again using SHA1 this time. Subordinate CA was set up to issue certificate for 4 years. But then a user requested certificate from the web has a validity for a year.
March 25th, 2011 8:09pm

Thanks for you help. Fooled around a bit and its set now. Tested it against a domain controller and it is happy with the two certs. The whole process was a pain due to lack of a thorough document for this case. Hopefully, I won't have to worry about it for a while now.
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2011 12:33am

huckleberry, I'm in the same bout as you. What are some of the kinks that you ran into? I just built a new virtual non-domain root ca. I still have an the existing pki infrastructure to decommission. I would ideally like minimal downtime for users. Any suggestions would be greatly appreciated.
June 16th, 2011 6:53am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics