locked
certificate authority change RRS feed

  • Question

  • I have UAG with Direct Access

    I currently have a internal CA enterprise named CA1.
    I need to move this CA ent. role to another server CA2 and can NOT decomission CA1.
    What I want to do is (and tested in a test environment):

    1 backup CA CA1 (cert, key, database, config etc)

    2 uninstall CA ent role on CA1

    3 install CA ent role on CA2 select Root, used & imported the key & cert from CA1

    4 restored the CA cert key, database, config etc from CA1 to CA2

    Now CA2 nicely issues certificates but I wanted to know what impact does this change have on DirectAccess. Client currently have still certificates issues from CA1 but they are trusted as it seems as is view the properties of the cert and the chain. Will DirectAccess also continue to work or do i need to reconfiguratie settings in UAG/DirectAccess and or in GPO's ?

    Thursday, August 9, 2012 4:33 PM

All replies

  • I have UAG with Direct Access

    I currently have a internal CA enterprise named CA1.
    I need to move this CA ent. role to another server CA2 and can NOT decomission CA1.
    What I want to do is (and tested in a test environment):

    1 backup CA CA1 (cert, key, database, config etc)

    2 uninstall CA ent role on CA1

    3 install CA ent role on CA2 select Root, used & imported the key & cert from CA1

    4 restored the CA cert key, database, config etc from CA1 to CA2

    Now CA2 nicely issues certificates but I wanted to know what impact does this change have on DirectAccess. Client currently have still certificates issues from CA1 but they are trusted as it seems as is view the properties of the cert and the chain. Will DirectAccess also continue to work or do i need to reconfiguratie settings in UAG/DirectAccess and or in GPO's ?

    As far as I understand you only moved the CA from one server to another, right? As long as your clients still have and get a certificate issued by the same CA, then DirectAccess is fine. The DirectAccess Server must trust your CA, which it already does. And the DirectAccess Server needs to know which CA issues the certificates. This is needed, because otherwise you would be able to use 3rd party CA's located on the internet.

    So as far as I understand, you are fine.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Tuesday, August 14, 2012 1:56 PM
  • Make Sure CRL is published after Move if you are using the same CA for the IP-HTTPS Connections. Else, they will fail.
    Wednesday, August 15, 2012 11:32 PM