locked
Cert Authority Migration and SCCM Certs RRS feed

  • Question

  • Greetings,

    We're looking to move to a 2012 R2 CA up from our 2008 R2 CA. This is mostly due diligence on our part to keep the box up-to-date but also to begin signing certs with SHA2 as opposed to SHA1 from the older CA.

    On the 2008 R2 CA is the client authentication and web-server authentication certificates that SCCM uses for HTTPS communication between the server and clients checking in. Some of these clients are internet-facing and don't check in directly to a CA via VPN or otherwise for months at a time (hence they don't auto-enroll with certs as frequently as they should-- but this isn't a huge problem as the expiration date on the SCCM certs is lengthy.)

    If we retire the former CA and migrate it to the new 2012 R2 CA, will those certs cease to stop working since they are issued by a different CA altogether? i.e. if it's looking for CA1 but only CA2 is servicing CA requests, does that break SCCM's communications? Or does the official instruction/act of migration account for this and continue servicing those requests from clients that otherwise don't know CA2 is the new head-honcho?

    Is it possible to run two CA servers in parallel, the newest of which simply isn't auto-enrolling until we're ready to retire the old one?

    I'm a bit lost where the CA/PKI Infrastructure is concerned, so any advice would be great.


    JMHahn

    Monday, February 8, 2016 10:33 PM

Answers

  • Without CRL checking enabled, then the old CA has no part in everyday cert usage. Note however that even though you have CRL checking disabled on the clients, the site systems (IIS really) is still checking the CRL for every cert so it's best to maintain that old CA until you are sure none of the certs it issued are in use. As long as you do that, then switching to the new CA will work fine. I would bring in a PKI-smart person to help with standing up your new PKI though. Disabling CRL checking is not really a good thing to do. Additionally, if you simply accept all of the defaults when setting up a new CA, you will have a handful of behaviors enabled in your environment that you didn't plan for. Also, you should generally always have at least a two-tier hierarchy.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, February 9, 2016 11:58 PM
  • "If we retire the former CA and migrate it to the new 2012 R2 CA, will those certs cease to stop working since they are issued by a different CA altogether? i.e. if it's looking for CA1 but only CA2 is servicing CA requests, does that break SCCM's communications? Or does the official instruction/act of migration account for this and continue servicing those requests from clients that otherwise don't know CA2 is the new head-honcho?"

    In a mixed environment (2 CA's, each having issued certificates for the same kind of functionality), you need to trust both Root CA's whereever the certificates are validated. In other words, you need to trust Root CA1 if you can still encounter old certificates issued by Issuing CA1, and Root CA2 for the newly issued certificates by Issuing CA2.

    "Is it possible to run two CA servers in parallel, the newest of which simply isn't auto-enrolling until we're ready to retire the old one?"

    Yes. The easiest way is not to have the template on the newest CA's Certificate Templates list in the first place. This will prevent enrolling, auto or otherwise, on that CA and force enrolling on the other one until you're ready.

    Wednesday, February 10, 2016 12:39 PM

All replies

  • Retire or migrate? Those are two different things but you mentioned using both. It sounds like you mean retire and stand up a new CA.

    You can have as many PKIs/CAs in place that you want or need -- they're simply services.

    Do you have CRL checking enabled for the clients in ConfigMgr?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, February 9, 2016 12:17 AM
  • Good call, my wording was unclear.

    We mean to retire the 2008 R2 CA and replace with the 2012 R2. I figured that process would include a short window when both boxes were running as a CA.

    I do not have CRL checking enabled-- this was turned off by a tech with Microsoft to assist in some client communication issues we were having when our SCCM 2012 environment was first established.

    This actually all came about due to prepping for ConfigMgr 1511-- we need a CA that will sign SHA2 or the HTTPS client communication won't work (or so Microsoft tells me.)

    I had planned to prop up the new 2012 R2 CA and issue the certs I needed while we migrate the old CA to the new, then simply turn off the old SCCM server with the old CA when done. Our previous tech who spent the most time on all things CA left and I wasn't sure how realistic it was to have two CA's running for a period of time without conflict.

    So it sounds like this would work as planned?


    JMHahn


    • Edited by JMHahn Wednesday, February 10, 2016 3:40 PM
    Tuesday, February 9, 2016 2:51 PM
  • Without CRL checking enabled, then the old CA has no part in everyday cert usage. Note however that even though you have CRL checking disabled on the clients, the site systems (IIS really) is still checking the CRL for every cert so it's best to maintain that old CA until you are sure none of the certs it issued are in use. As long as you do that, then switching to the new CA will work fine. I would bring in a PKI-smart person to help with standing up your new PKI though. Disabling CRL checking is not really a good thing to do. Additionally, if you simply accept all of the defaults when setting up a new CA, you will have a handful of behaviors enabled in your environment that you didn't plan for. Also, you should generally always have at least a two-tier hierarchy.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, February 9, 2016 11:58 PM
  • "If we retire the former CA and migrate it to the new 2012 R2 CA, will those certs cease to stop working since they are issued by a different CA altogether? i.e. if it's looking for CA1 but only CA2 is servicing CA requests, does that break SCCM's communications? Or does the official instruction/act of migration account for this and continue servicing those requests from clients that otherwise don't know CA2 is the new head-honcho?"

    In a mixed environment (2 CA's, each having issued certificates for the same kind of functionality), you need to trust both Root CA's whereever the certificates are validated. In other words, you need to trust Root CA1 if you can still encounter old certificates issued by Issuing CA1, and Root CA2 for the newly issued certificates by Issuing CA2.

    "Is it possible to run two CA servers in parallel, the newest of which simply isn't auto-enrolling until we're ready to retire the old one?"

    Yes. The easiest way is not to have the template on the newest CA's Certificate Templates list in the first place. This will prevent enrolling, auto or otherwise, on that CA and force enrolling on the other one until you're ready.

    Wednesday, February 10, 2016 12:39 PM