second enterprise cetificate authority
I have a single domain contoso.com with 2 sites that are connected with vpn.
In 1 site i have SERVER1 with roles; DC,CA ent,DHCP,DNS,File
Now we want to move servers and change roles to the other site and servers.
Can i build a new SERVER2 in site B and install the CA ent role on it, configure it and then uninstall the CA role on SERVER1
Migrate CA to the new SERVER2 is not really an option as SERVER1 also does DHCP and fileserver (i understand that with ca migration the old server needs to be decomissioned)
August 8th, 2012 4:41am
CA Migration can be performed to a new server with different server name, it is supported but not very recommended because of the added name mapping configuration to resolve the name dependencies.
Yes, you can build a new second enterprise CA on the new server and transfer the role being the active enterprise CA in your domain:
Setup the new server with the Ent CA roleMove the active certificate templates to the new Ent CADecommission the old Ent CA
Decommissioning the old CA depends on the number of active certificates and if you want to replace all active certificates by forcing a renewal from the new Ent CA.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 6:39am
Hasain,
Thanks for the reply and answer.
Got a finale question if you dont mind :-)
steps to perform
1 create new server and install CA Ent role
2 run the CA wizard with the new server name/common name etc
3 move certificate template to new server <- is this necessary if only default template are used on the old server?
4 decomission old CA by uninstall the CA role <- all clients have certificates and how do i enforce all clients to renew their certfiicate from the NEW ca?
Hope you can help me one more time.
August 8th, 2012 12:28pm
Step 3 is needed to redirect all new requests to the new Ent CA only. Just remove the templates from the old CA if you only use the default templates.
Step 4 depends on how the clients originally received the certificates:
Manually issued certificates need to be replaced manually using the new CACertificates issued with autoenrollment can be renewed by selecting the "Reenroll All Certificate Holders" option on the specific template
An alternative to renewal/replacing all certificates is to just keep the old CA trusted until the last valid certificate has expired or replaced. This can be done by issuing a CRL that covers the validity time of alla issued certificates before uninstalling
the old CA.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 2:41pm
Hasain,
Thank you so much for the support and answers much clear now :-)
To rephrase for me:
1 create new server and install CA Ent role
2 run the CA wizard with the new server name/common name etc
3 remove all templates from the old CA
4 decomission old CA by uninstall the CA role
2. certificates are issued with autoenrollment so do i need to set the "Reenroll All Certificate Holders" on the templates on
the new CA ?
(an
alternative to renewal/replacing all certificates is to just keep the old CA trusted until the last valid certificate has expired or replaced. This can be done by issuing a CRL that covers the validity time of alla issued certificates before uninstalling
the old CA) <- as an alternative can i also keep the old CA on with no templates the new CA with templates let all clients get new certificate and decomission the old CA like after 1 week? (my knowledge about CRL is not that good :-) Or can you give a quick
list how to do such CRL issueing??
August 8th, 2012 3:27pm
I would in such case recommend you to keep the CA running until all certificates has been replaced!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 4:02pm
Hasain can you confirm following steps are correct then, then i wont bother you anymore :-) ?
1 create new server and install CA Ent role
2 run the CA wizard with the new server name/common name etc
3 remove all templates from the OLD CA
4 wait till all certificates are replaced on clients
5 decomission old CA
Are this the step to follow and should i not apply ""Reenroll All Certificate Holders" on the templates ? does this settings then needs
to be done on the templates on the NEW CA??
August 8th, 2012 4:11pm
Yes, the steps are fine and you should reenroll all certificate holders on any template used with autoenrollment to speed the renewal/replacement process. The reenroll settings is globally done on the certificate template http://technet.microsoft.com/en-us/library/cc728039(v=ws.10).aspx
/Hasain
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 4:15pm
The reenroll settings is globally done on the certificate template
/Hasain
Globally? you mean, for example on the Computer certificate template on the NEW CA set this option right cause the OLD CA will not have templates anymore as per step 3
August 8th, 2012 5:11pm
It is set on the template it self regardless what CA is using it. Another thing to notice here is that the reenroll operation is only possible when using version 2 certificate templates.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 5:30pm
It is set on the template it self regardless what CA is using it.
/Hasain
So if i delete all templates from the OLD CA (all default templates) will the NEW CA will have templates available or are these deleted here too?
August 9th, 2012 2:05am
The templates are objects in Active Directory and are shared among your different enterprise CA's. The template list in each CA is a reference to the AD objects for each template. So deleting a template som the list in one CA just removes the connection
between the CA and that template!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2012 12:41pm
awesome explanation Hasain thanks a million.
but unfortunately the computer certificate is a v1 template so i cannot select "reenroll all cert holders" :-(
im now stuck cause client dont get a new certificate from the new CA automatically
if i delete the certificate from the client and issue a certutil -pulse then i get a new certificate from the new CA but i dont want to walk to all clients and delete the certificate.
how can i automatically force the clients to get a new cert from the new CA?
August 9th, 2012 1:01pm
My recommendation is to switch to a v2 template that supersedes the computer template and effectively replacing all current certificates based on the old v1 template.
Enable Autoenrollment using Group Policy http://technet.microsoft.com/en-us/library/cc771025(v=ws.10)Create a v2 template
http://technet.microsoft.com/en-us/library/cc753370(v=ws.10)Configure superseding on the new template http://technet.microsoft.com/en-us/library/cc753044(v=ws.10)Configure Autoenrollment on the new template http://technet.microsoft.com/en-us/library/cc753452(v=ws.10)Publish the template on your CA http://technet.microsoft.com/en-us/library/cc771937(v=ws.10)
/Hasain
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2012 2:53pm
Hasain you are KING +1000 :-)
Thanks for all the effort i'm on the right way now.
August 9th, 2012 3:03pm