Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
High level CA decom question.

Answered High level CA decom question.

  • Wednesday, November 21, 2012 9:14 PM
     
     
    Sign In to Vote
    0

    I have read a few articles on this but I am not sure which one applies to us

    We are retiring our 2003 DCs and movign to server 2008r2. All the 2008dcs are up and running... all services are transfered except for:

    One of the 2003 servers is an Enterprise Root CA.

    I dont think we have a lot of applications that use certs issues by him, just OCS and Wireless 802.1X auth.

    What would make the most sense in this layout? Add another Enterprise CA, issue new certs to OCS and Wireless, and retire the old one?

    I have seen docs on migration but I think the comptuer name has to be the same (or am I reading this wrong)?

    Maybe there is a better way i am not aware of?

    Thanks

    Drew

     

All Replies

  • Thursday, November 22, 2012 9:42 AM
     
     Answered
    Sign In to Vote
    0

    I would vote for a replacement scenario, specially if you have a limited number of issued certificates that can easily be replaced.

    The computer name dependency is still there although it is now supported to migrate an enterprise CA to a new host with new name but you still need to take care of the name mapping issues that results.

    /Hasain

     
  • Friday, November 23, 2012 2:27 PM
     
     
    Sign In to Vote
    0

    Thanks,

    Would this make sense?

    1. disable issuing new certs on the old enterprise ca
    2. install a new enterprise ca
    3. issue certs to the servers that need the new certs. On the old server I see certs issues to OCS server, Radius server (for wireless) and a handfull of DCs. The DCs worry the most because I dont know what the impact of doing this would be. I have a test environment to play with but I feel in over my head a little.
     
  • Friday, November 23, 2012 2:34 PM
     
     Answered
    Sign In to Vote
    0

    The steps are just fine to begin with.

    Both old and new enterprise CA's are going to be equally trusted in AD but you need to make sure that any other systems out side of AD are trusting the new CA before replacing the various certificates. The same applies if you have any certificate specified in any configuration or setting that must change upon certificate replace/renewal from the new CA.

    /Hasain