כניסה
 
עמוד הביתספריהלמדהורדותאיתר וטיפל בבעיותקהילהפורומים
משאבים למומחי מחשוב >
Renew PKI Hierarchy - Pretty Urgent

תשובה Renew PKI Hierarchy - Pretty Urgent

  • יום רביעי 09 מאי 2012 06:48
     
     
    היכנס כדי להצביע
    0

    Hi

    My client would like to renew their Root CA, so which means their issuing CA should also be renewed.

    Currently it is two tier hierarchy and the end user certificates are being issued randomly in a ad-hoc manner. The root is offline Windows 2003 CA, 2048 bit key length and lived for 10 years. The issuing CA is enterprise windows 2003 CA, 1024 bit key length, lived for 8 years.

    Here is my plan:

     - Retain the current offline Root CA (valid for 2 more years) and Issuing CA (valid one more year).

     - Install new offline Root CA (2048 bit, 15 years validity) and Issuing CA (2048 bit, 10 year validity) on a new server. I would love to configure 4096 bit for the root but we have some systems who does not have the capability to consume such large keys.

     - Configure the certificate templates, DO NOT assign the templates for the issuing CA as of yet.

     - Publish the new Root CA & Issuing CA using GP for domain members and manually for non-domain members. Just to give enough time for all the clients to have the new CAs installed in their trust store.

     - Around Jun'12, remove certificate templates from current CAs (issues 6 months end user certificates) but retain CRL generation capability.

     - Assign the certificate templates to the new Issuing CAs to handle all renewal and new certificate requests from that point of time.

    This way all systems trust the new CAs when they receive renewed & new certificates. The current would live generating CRLs for the current certificates until all of them expire.

    For all the geeks around there in this forum, my question to you is - "Is my plan technically feasible?". If not please point my mistakes. More better if you could let me know any better approach. Also, from knowledge point of you, can multiple enterprise issuing CAs each signed by different Root CAs be concurrently operational in one domain?

    Thanks in advance.

    Sanurajan

     

כל התגובות

  • יום רביעי 09 מאי 2012 06:41
     
     
    היכנס כדי להצביע
    0

    Hi

    My client would like to renew their Root CA, so which means their issuing CA should also be renewed.

    Currently it is two tier hierarchy and the end user certificates are being issued randomly in a ad-hoc manner. The root is offline Windows 2003 CA, 2048 bit key length and lived for 10 years. The issuing CA is enterprise windows 2003 CA, 1024 bit key length, lived for 8 years.

    Here is my plan:

     - Retain the current offline Root CA (valid for 2 more years) and Issuing CA (valid one more year).

     - Install new offline Root CA (2048 bit, 15 years validity) and Issuing CA (2048 bit, 10 year validity) on a new server. I would love to configure 4096 bit for the root but we have some systems who does not have the capability to consume such large keys.

     - Configure the certificate templates, DO NOT assign the templates for the issuing CA as of yet.

     - Publish the new Root CA & Issuing CA using GP for domain members and manually for non-domain members. Just to give enough time for all the clients to have the new CAs installed in their trust store.

     - Around Jun'12, remove certificate templates from current CAs (issues 6 months end user certificates) but retain CRL generation capability.

     - Assign the certificate templates to the new Issuing CAs to handle all renewal and new certificate requests from that point of time.

    This way all systems trust the new CAs when they receive renewed & new certificates. The current would live generating CRLs for the current certificates until all of them expire.

    From all the geeks around there in this forum, my question to you is - "Is my plan technically feasible?". If not please point my mistakes. More better if you could let me know any better approach. Also, from knowledge point of you, can multiple issuing CAs each signed by different Root CAs be operational in one domain?

    Thanks in advance.

    Sanurajan

    • הועבר על-ידי Elytis ChengModerator יום שישי 11 מאי 2012 04:32 (From:Directory Services)
    •  
     
  • יום רביעי 09 מאי 2012 06:42
     
     
    היכנס כדי להצביע
    0

    Hello,

    for CA i suggest to ask the security experts in http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

     
  • יום רביעי 09 מאי 2012 06:50
     
     
    היכנס כדי להצביע
    0
    Thanks Weber.
     
  • יום רביעי 09 מאי 2012 08:51
     
     תשובה
    היכנס כדי להצביע
    0
    I think it is easier to renew existing CAs (I guess, that they are configured and worked properly).

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • הוצע כתשובה על-ידי Vadims PodansMVP יום שלישי 15 מאי 2012 10:40
    • סומן כתשובה על-ידי Elytis ChengModerator יום שלישי 15 מאי 2012 10:55
    •  
     
  • יום רביעי 09 מאי 2012 09:20
     
     תשובה
    היכנס כדי להצביע
    0

    Hi,.

     Kindly check this below link "http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx"

    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!