none
Direct Access Migration of Root CA RRS feed

  • Question

  • We have a Domain Controller "DC01" which has the Enterprise Certificate Services role installed and the CA on this Domain Controller is named "DC01"
    The CDP location on the CA "DC01" is <servername> so effectively it's LDAP://DC01 (only LDAP is published on the certificates, no http etc.)
    The CA "DC01" issues the version1 "Computer" certificates with AutoEnrollment to all clients and all our internal clients and external clients have a "Computer" certificate from CA "DC01"

    Now we have an UAG SP3 server with Direct Access and all our clients connect successfull with Direct Access as it's setup now
    In the UAG configuration (wizard) on the IPsec Certificate Authentication screen on the option "Use a certificate from a trusted root CA" the "DC01" Root CA certificate is selected

    As Microsoft best-practises we want to move the Enterprise Certificate Services to a new member server "CS01" and effectively create a new Root CA "CS01"

    As we use the version1 "Computer" certificate template we cannot select "reenroll all certificate holders"
    so idea is to duplicate the "Computer" certificate template as a v2 template that supersedes the version1 computer template, this effectively replaces all current Computer certificates based on the old v1 computer template on clients.
    Then all clients get a new "Computer" certificate from the new Root CA but in the UAG Direct Access configuration the "IPsec Certificate Authentication" "Use a certificate from a trusted root CA" the old "DC01" Root CA certificate is still selected

    Question1; will this lock out clients that have a new Computer certificate from the new Root CA but the UAG Direct Access configuration still use the Root CA certificate from the old DC01 CA?

    Another idea is NOT to supersede the the version1 Computer certificate but AutoEnroll the new v2 duplicated Computer template.
    This means that clients will have a Computer certificate from the old CA "DC01" but also a Computer certificate from the new CA "CS1"

    Question2; can a client have 2 computer certificates (1 from old DC01 ca and 1 from new CS01 ca) and connect Direct Access and will this still work?
    Friday, January 9, 2015 11:32 AM

All replies

  • Yes, the clients will still connect with two different certificates. I haven't had your exact situation before, but I have had to deal with a CA server that died, and we had to replace it with a new one. We stood up a new CA, issued "Computer" certificates again from the new CA (the old certs still existed on all the client computers) - and then switched the UAG settings over to the new root CA. This worked.

    I do recommend deleting the old certificates from the client computers if possible, so that there is no potential for conflict down the road, but the above scenario worked fine for us and I have also worked with numerous companies that have multiple machine-type certificates on their client computers and as long as they have one which meets the DA criteria and chains up to the CA that is active in the UAG config, it'll build tunnels.

    Monday, February 2, 2015 7:46 PM