Replace PKI
Hi
we are in the process of replacing our current Microsoft PKI-infrastructure. I guess it’s possible to replace the MDM server certificates but what about the enrolled clients, is it possible to do this gracefully without reenrolling the clients?
Thanks
Risposte
Even with an MS Enterprise CA, this would be incredibly difficult and would require a large amount of work. In addition to Andreas' points you need to provision new Device Client Certificates (From the New CA) for each device ! Not impossible but difficult. You'd need to find/develop a tool to perform this function. It's not as "simple" as a user client certificate request J !
Certificates are so imbedded throughout MDM I doubt this is even possible. Is there is a way to get the Mobile VPN to use the new device certificate?.. I doubt it.
You might be better off building another Instance, and migrating.
Good Luck.
Cheers Wayne
Airloom- Contrassegnato come rispostaWayne Phillips.MVP, Moderatoregiovedì 3 settembre 2009 9.33
- Ok, that makes sense :)
Making new enrollments go to the new instance is just a matter of updating the DNS pointers really. Ok, technically you should probably update the SDPs in AD too if you are using the same DNS name. If you are already using mobileenroll.domain.com all users will by default go to this address though, and then the users aren't going to enroll to the new server if you set up a new DNS address. Well, you get the point.
New enrollments probably isn't the big issue though. What to do with existing devices is certainly a bigger question. A new instance requires new servers, and you can run multiple instances in parallell in the same AD. So you can bring up a new instance and test if you are able to "port" a device. I don't know how many devices you have deployed at the moment, but it is a possibility that you will end up having to hard reset and re-enroll the devices. It shouldn't be that much work bringing up a new instance as a lab exercise and do testing.- Contrassegnato come rispostaWayne Phillips.MVP, Moderatoregiovedì 3 settembre 2009 9.33
- In this case you may want to conceder simply disabling the Certificate Templates on the existing CA and then just deploying the new CA. Keeping the old one around will still allow already-issued certificates to still function, as well as CRL checking. Once you get a chance to replace all certificates then you could decommission the old system. But by disabling the templates you can block any other administrators from mistakingly issuing new certificates against the old CA and not the new CA.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS- Contrassegnato come rispostaWayne Phillips.MVP, Moderatoregiovedì 3 settembre 2009 9.33
Tutte le risposte
- If you have a multi-tiered CA infrastructure I guess you would be able to push down the new root certs to the devices through the Group Policies (before you make the switch). Theoretically this should work for the servers (with the assumption that the device has no "memory" of the previous trust chain).
There is a minor detail though - which is that the devices requires a Microsoft Enterprise CA (this CA issues certificates to the devices). While you will be able to use a non-MSFT CA as a root CA, the issuing CA for the devices must be MSFT. And if you need to keep this you might as well be running your SCMDM servers with certificates from this CA as well. Even with an MS Enterprise CA, this would be incredibly difficult and would require a large amount of work. In addition to Andreas' points you need to provision new Device Client Certificates (From the New CA) for each device ! Not impossible but difficult. You'd need to find/develop a tool to perform this function. It's not as "simple" as a user client certificate request J !
Certificates are so imbedded throughout MDM I doubt this is even possible. Is there is a way to get the Mobile VPN to use the new device certificate?.. I doubt it.
You might be better off building another Instance, and migrating.
Good Luck.
Cheers Wayne
Airloom- Contrassegnato come rispostaWayne Phillips.MVP, Moderatoregiovedì 3 settembre 2009 9.33
Hi
I didn’t make myself quite clear. The old CA is a “standalone” Windows 2003 Enterprise root CA running on an old domain controller. The new PKI will also be a Microsoft solution but with an offline root CA (two tire)
I can see your points that this will be difficult. What if I build another instance, I guess I still have to remove the old Root CA breaking the trust chain of the client certs? Or is there a clever way to keep the old certificate chain valid for the “old” instance and let all new enrolments go to the new instance? I will not remove the old ca server from the network yet, but I will remove the certificate services so that we are not strict dependant of it.
EBE
- Ok, that makes sense :)
Making new enrollments go to the new instance is just a matter of updating the DNS pointers really. Ok, technically you should probably update the SDPs in AD too if you are using the same DNS name. If you are already using mobileenroll.domain.com all users will by default go to this address though, and then the users aren't going to enroll to the new server if you set up a new DNS address. Well, you get the point.
New enrollments probably isn't the big issue though. What to do with existing devices is certainly a bigger question. A new instance requires new servers, and you can run multiple instances in parallell in the same AD. So you can bring up a new instance and test if you are able to "port" a device. I don't know how many devices you have deployed at the moment, but it is a possibility that you will end up having to hard reset and re-enroll the devices. It shouldn't be that much work bringing up a new instance as a lab exercise and do testing.- Contrassegnato come rispostaWayne Phillips.MVP, Moderatoregiovedì 3 settembre 2009 9.33
- In this case you may want to conceder simply disabling the Certificate Templates on the existing CA and then just deploying the new CA. Keeping the old one around will still allow already-issued certificates to still function, as well as CRL checking. Once you get a chance to replace all certificates then you could decommission the old system. But by disabling the templates you can block any other administrators from mistakingly issuing new certificates against the old CA and not the new CA.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS- Contrassegnato come rispostaWayne Phillips.MVP, Moderatoregiovedì 3 settembre 2009 9.33
