21 April 2011 7:18
I don't know if this is the correct place to ask for this but here goes.
Basically I just started administering a small company network and am encountering some issues when it comes to CA servers. Basically we have 9 servers on the network, all in the same location. 2 of these servers are DC while another one is an exchange server. Now the exchange and one of the DCs are CA servers and they both have totally different certificates.
Now after a few suggestions here on the forums I am thinking of creating a VM just for this purpose. I want to install it as the main CA and re-issue the certificates from the other servers on this one and remove the other CA's. That's were I need help with though. Can anyone guide me as to the correct procedure and best practise for doing this?
Thanks in advance
17 April 2012 2:45Moderator
This is a tricky situation. You should first think about your PKI design. Take a look at: PKI Design Guidance http://social.technet.microsoft.com/wiki/contents/articles/2901.pki-design-guidance.aspx
I think you should read the following blog postings as well:
Ultimately, you will see that you don't want to simply replace the existing CAs, but rather to build a good two-tier PKI hiearchy with an offline root CA. However, if that is too much for you to manage, you may elect to do a single Enterprise Root CA. In that case, you will still ultimately want to perform a type of migration to a new server. I think the Amer Kamal blog post will be the most direct step-by-step for you. Still, you might have a difficult time following the steps, so you may have to ask additional questions.
17 April 2012 7:11
sorry, I don't agree with the "good two tier" PKI. This is just a general "best-practice" for general environments and only makes people feel like poor fools when having a single CA. For pure AD forest/domain environments, it is rather an expensive nonsens (in terms of resources, administration, licenses etc.), like you were raking your front-garden with a tractor.
Lets think about it:
Why do you generally need CA hierarchy in the first place:
- to have the ability to revoke an IssuingCA if it gets compromised - RootCA cannot be revoked, so we would keep the RootCA offline to prevent its compromise. In a public environment, how would you inform all of your clients about your RootCA was compromised - imagine a bank that issues certificates for all the private people who want to use its internet backing. So you need the hierarchy with offline RootCA.
- to have a simple "trust hierarchy" where all clients need to trust only one CA. That means, if you need to implement another IssuingCA later, you will not have to make another hierarchy trusted on the clients. Again, making a CA trusted on "public diverse" environment may be very expensive - again with tha bank example it can be quite clear.
What is the begist problem with Offline RootCA?
- it must produce CRLs. Because it is offline, you need to go there, pull it from safe, sign the CRL "manually" and pull it back and copy the CRL to a public CDP. If you want to limit the amount of physical manual administration in this regard, you must prolong the CRL validity intervals. The longer the validity, the lesser security of the hierarchy in case any of the IssuingCAs is compromised
What about pure domain/forest environments?
- you have veeery fast and precise method how to make a CA trusted on the clients - Group Policy. It applies automatically every 120 minutes. This is extreme speed in comparisson with a manual "trust distribution" in public environemnts. You can make hundreds of different RootCAs trusted on all your clients in matter of minutes.
- you have even faster method how to make a RootCA untrusted on the clients - Group Policy again. It will be an extreme speed when compared with CRL publication interval which is often in units of months.
- what is the risk of having one of your DCs (not CA) compromised? Rebuilding the whole forest definitelly. So imagine you have a forest with loooots of DCs, servers, clients and a single Offline RootCA. What are you going to do when a single DC is found to have a virus running there for some time? You MUST REBUILD THE WHOLE FOREST from scratch or from last clean backup (meaning ALL MACHINES from the last backup, not just DCs). Come on, the only thing that ramains there is the precious Offline RootCA - funny :-)
So why would you install the CA hierarchy with offline RootCA for pure domain environmet?
17 April 2012 11:28
Agree with Onderj, and judging by the size of the environment a two-tier PKI is an overkill! You can easily decommission the old CAs and start with a new one to reissue the server certificates.
My recommendation is
- Follow the steps 2-5 in http://support.microsoft.com/kb/889250, make sure to only follow 2-5 for all current CAs, this way the old CAs are still valid although they are uninstalled
- Install and configure the new Ent CA
- Re-Enroll the server certificates
- Perform the rest f the steps from http://support.microsoft.com/kb/889250 to clean up the old CAs
17 April 2012 19:16ModeratorI appreciate the explanatory disagreements as the explanations are edifying. I still think the first link, blog by Amer Kamal, on how to accomplish the migration is worth reading in this situation. I like that Hasain has also provided KB resources as an answer. Thanks for providing additional answers Ondrej and Hasain - I think they will be helpful.