locked
From stand-alone CA to Enterprise CA RRS feed

  • Question

  • Currently we have one single stand-alone CA on a domain member server, running Windows Server 2008 R2. We need an Enterprise CA, which we plan to install on Windows 2012 R2. Small environment, about 200 users, some 70 servers (nearly half of them for redundancy). The root certificate is about to expire in about four months.

     

    The idea is to decommission the stand-alone CA and only have one single Enterprise CA. (Is this in itself a bad idea without a dedicated stand-alone root CA and subordinate Enterprise CA?) Then we would reissue some six certificates.

     

    We wonder if we could run these two servers in parallel or could this pose a conflict?

    Are there better ideas on how we could go about?

     

    Thanks in advance for any sensible answer.


    MCSE: Messaging, MCSA: Office 365, MCSA: Windows Server 2012

    Wednesday, June 7, 2017 9:38 AM

Answers

  • There are certainly a few different ways to do this. To have only one CA server (Root that issues certificates) is never recommended.

    Perhaps the easiest would be to keep the Root CA server, renew its certificate, build your new Enterprise CA (Issuing CA), enroll with the renewed Root CA, then renew all certificates in your environment. This assumes that the Root CA has been reviewed per the documentation link below.

    Note:

    This is just one method and easy enough to do as long as you are careful and have followed best practices regarding your Root CA and the rest of your PKI.

    Hope that helps,

    Bill

    Wednesday, June 7, 2017 1:41 PM

All replies

  • There are certainly a few different ways to do this. To have only one CA server (Root that issues certificates) is never recommended.

    Perhaps the easiest would be to keep the Root CA server, renew its certificate, build your new Enterprise CA (Issuing CA), enroll with the renewed Root CA, then renew all certificates in your environment. This assumes that the Root CA has been reviewed per the documentation link below.

    Note:

    This is just one method and easy enough to do as long as you are careful and have followed best practices regarding your Root CA and the rest of your PKI.

    Hope that helps,

    Bill

    Wednesday, June 7, 2017 1:41 PM
  • Thanks a lot! This was just the input we needed, the links are excellent (i through vii). However, our existing Root CA is installed on a domain-joined server. Your recommendation is to use a server in a workgroup and take it offline. (The CA was originally only intended to generate some few certificates for Operations Manager, not to serve as a foundation for a PKI, but then some outside consultants started to use it for telephony and Lync. Now certificate enrolment is needed for Cisco ISE.)

    Could we proceed about like this:
    * Build our new Enterprise CA on a domain-joined server, enrolled with the renewed Root CA.
    * Let the Root CA server run about a month or two, until we have issued all new certificates from the Enterprise CA server.
    * Move the Root CA to a none-domain-joined virtual server, securing it following the instructions given in part vii of your link.

    A final question: When we renew the Root CA, will all certificates that have been issued before the renewal still be valid?

    MCSE: Messaging, MCSA: Office 365, MCSA: Windows Server 2012

    Wednesday, June 7, 2017 7:58 PM
  • Hello Jon,

    The best practice is to always have your root CA offline.
    It's even better to not have any network interface on this server.

    If it's a virtual machine, don't forget to encrypt it.

    A root CA can only issue certificates for sub CAs and for itself.
    There are no other templates available for root CAs.
    Thus there is no reason to keep it domain-joined or even online.

    To submit a certificate request from the sub CA to the root CA,
    and get the certificate back to the sub CA, I usually use a USB key.
    After that you should power down your root CA.


    • Edited by Luc Fullenwarth Wednesday, June 7, 2017 9:46 PM Grammarly software pollution
    Wednesday, June 7, 2017 9:43 PM
  • Sure, we'll end up with your and Bill's recommendations. Now it's about transition, how to get there. We have already manually issued certificates to some seven or eight servers from the stand-alone CA, running on a domain-joined server. What I wonder about is:

    * Is it relatively easy to move this stand-alone CA to a new workgroup server which we can take offline?
    * After we have renewed the root certificate, will those certificates we have issued still be valid?

    Mostly I'm concerned about avoiding hick-ups while we're moving. We'll reissue those certificates from the new Enterprise-CA as soon as possible.


    MCSE: Messaging, MCSA: Office 365, MCSA: Windows Server 2012

    Thursday, June 8, 2017 4:34 AM
  • This approach appears to work very well. Thanks a lot again.

    MCSE: Messaging, MCSA: Office 365, MCSA: Windows Server 2012

    Friday, June 9, 2017 5:20 AM
  • If you renew a certificate, the former one will still remain valid until the expiration date. You can use both in parallel.

    What is important is, like Bill said, that you copy the root CA's certificate and CRL on the sub CA in C:\windows\system32\certsrv.
    Beside that you must also configure your root CA in this way.

    1. In the root CA's Certification Authority console, right click your CA (the second line) and click Properties.
    2. Then go the Extensions tab.
    3. In Select Extensions, choose CRL.
    4. A few "strange" paths will appear and you must assure that if you have a HTTP or a SMB path inside this list, it points to the sub CA.
    5. In Select Extensions, choose now AIA.
    6. Do the same action as in step 4.

    However, in your case there is a pitfall...
    If your formerly issued certificates points to the root CA, when you bring it offline client cannot validate their certificate anymore.
    Therefore, before you bring it offline, you have to ensure that no formerly issued certificate is still in use. Otherwise, the application which use old certificates (but still with a valid date) may consider them as invalid because the server which is supposed to validate them is offline.

    Friday, June 9, 2017 7:45 AM