2 Certificate Authoritiy servers on a single network. How to combine them? RRS feed

  • Question

  • Hi all,

    I just 'inherited' this network that I am on and and finding a lot of problems with it that I can't figure out and hope that someone here can help me.

    To give you a basic idea of the network, we have roughly 85 users and 9 servers of which 2 of them are a DC's both running Windows 2008. We also have an Exchange 2003 running on Windows 2003.

    Now the problem is this. One of the DCs is the certificate authority on the server and I need to format it because it is not stable at the moment. Also the exchange server happens to be a certificate authority too. When I checked what certificates they have they both have totally different certificates and not one is replicated.

    Now my question is is it possible to transfer the certificates from both servers to another single server and be the CA for the network? Also is it worth having 2 CA's on a single network? Do they work as a fail-over for each other or anything?

    Another thing, most of the certificates are have expired, what is the best possible way to issue a renewal?

    Thanks in advance.

    Wednesday, April 20, 2011 10:29 AM

All replies

  • Hi,

    You posted your question on the Lync security forum. I think you'll get better response if you post your question in the appropriate Windows Server security forum.

    Best regards

    Certified IT Professional Lync Server 2010 / Exchange 2007 - http://www.uwictpartner.be
    If you think my post is the answer to your question, please mark it as answer so future visitors can easily find it.
    Thursday, September 15, 2011 7:59 AM
  • Hi,

    You can have a single Entrapise Root CA deployed and get the old certificates replaced by the new CA and remove other 2.

    What i see is that Exchange Certificate is the only creitical part here. Get a new certificate genarated from the new CA and apply it to the exchange. Also make sure that the users and other servers also have the self signed certificate of the new CA in their Trusted Root CA.

    Normally in any given scnario, it's rare to have 2 Enterprise root CA s in the same network. Since your network is not that large. It's not worth it and make things more complicated.


    Saturday, October 15, 2011 12:49 PM