Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Migrating the Certification Authority From a failed Server to another

Answered Migrating the Certification Authority From a failed Server to another

  • Donnerstag, 13. Dezember 2012 18:29
     
     
    Anmelden
    0

    I am currently working with a site who 2 years ago their CA had a bad hard drive. This CA was running server 2003. At this point any data on that drive cannot be recovered. Currently all new CA servers have a root of this phantom server. What steps can I take to update the Enterprise Root Certification Authority from the failed server to a New server running server 2008 r2?

     

Alle Antworten

  • Donnerstag, 13. Dezember 2012 21:53
     
     
    Anmelden
    1

    I am currently working with a site who 2 years ago their CA had a bad hard drive. This CA was running server 2003. At this point any data on that drive cannot be recovered. Currently all new CA servers have a root of this phantom server. What steps can I take to update the Enterprise Root Certification Authority from the failed server to a New server running server 2008 r2?

    The existing Enterprise Root CA failed 2 years ago and they have no backups, correct?  I assume that also means they have no copy of the Root CA certificate with the private key.

    In this case, all of the issued certificates from this CA are no longer valid, or at least can't be checked for validity.  You will need to start from scratch and introduce a new Enterprise Root CA: http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx#BKMK_AS1

    All of your Domain Controllers and Computers will enroll for new certificates automatically from the new CA.  If you had any other certificates in use at the company, you will have to re-enroll those with the new CA as well.

    Certificate Templates are stored in Active Directory so loss of the CA does not invalidate those.  However, you must instruct the CA to issue any non-standard Certificate Templates that are required in the environment: http://technet.microsoft.com/en-us/library/cc786293(v=ws.10).aspx

    They may have configured certificate enrollment policy in Group Policy.  You should review these settings for accuracy: http://technet.microsoft.com/en-us/library/dd851772.aspx

    And of course, you should back up the new Root CA database and the CA certificate with private key and store in a secure location when finished.

     
  • Freitag, 14. Dezember 2012 05:09
     
     
    Anmelden
    0

    For details about Certificates,the Security forum is the better place: http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     
  • Freitag, 14. Dezember 2012 05:15
     
     
    Anmelden
    0

    See the AD_CS_Migration_2008_R2.pdf

    http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=17877

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

     
  • Montag, 17. Dezember 2012 13:19
     
     
    Anmelden
    0
    After creating a new server my Domain has two root Certification Authorities. When a client request a certificate the certification path still points to the old CA off the network for two years.
     
  • Montag, 17. Dezember 2012 15:53
     
     
    Anmelden
    0
    If clients are receiving valid certificates that are signed by your old Enterprise Root CA, that CA is still online.  It isn't possible to have a certificate whose parent doesn't exist anymore.  All certificates that get issued are cryptographically signed by the parent CA.  So in short, that CA is still on your network somewhere (possible someone moved it to another server).
     
  • Montag, 17. Dezember 2012 16:03
     
     
    Anmelden
    0

    The clients are receiving certificates from a server that is still on the network. We have another CA. The root CA is the one that is no longer on the network.

    So the CA giving certs references the old root in its certification path.(If i view a cert issued the tree is listed as the Root--> the CA-->then the Cert)

    I have created a new CA using the article you pointed out above and ensured it is a root CA. If I request a cert from the new CA everything is fine. 

    How do I update the other CA issuing certs to use the new root CA as its certification path?

     
  • Montag, 17. Dezember 2012 16:11
     
     Beantwortet
    Anmelden
    0

    I see, thanks for clarifying.  You'll need to issue a new CA certificate to the subordinate CA and replace its existing certificate.  You may be able to actually renew the existing CA certificate on the subordinate CA but I'm not 100% sure on that.  I would still try this first: http://technet.microsoft.com/en-us/library/cc776691(v=ws.10).aspx.  When choosing the CA to send the request to, click Browse and select the new root CA.

    If this doesn't work, you can request a new CA certificate using certutil.exe.  Another alternative is to remove AD Certificate Services from that machine then re-install it.