none
How do I stop a sub cert server from issuing any new certificates

    Question

  • I have a enterprise subordinate root server that only has 3 certificates that are active. I would like to decommission it. I have read through the article on decommissioning as well as the 2008 certificate migration guide yet I not sure I understand what stops a CA from issuing certificates. I have posted before and am trying to decide whether I want to migrate the enterprise root to 2008 or start over but since the enterprise subordinate only has 3 active certificates it would be easy to just decommision it and create new issuing subordinate CAs on my 2008 R2 servers. I have stopped auto-enrollment in AD so I think the only way that the existing enterprise CA would issue a certifiacte would via a request to the CA. From what I have read it seems that I need to extend the lifetime of the CRL, revoke the active certificates, and then issue a new CRL. I should then be able to follow through the balance of the process and decommission the CA, decommision the domain controller the CS is running on, and then remove the server from the domain. But what actualy stops an installed CA from issuing certificates?  


    eburch@lasertel.com

    Thursday, March 29, 2012 7:20 PM

Answers

All replies