PKI 2003 to 2012 RRS feed

  • Question

  • Hello, experts,

    I'll tell you my "problem"

    We have one AD, with 3 domain controllers (2012 R2), for about 150 users.

    In this AD, there is a pki enteprise root (windows server 2003...)

    This CA only distributes 4 certificates (3 to the Domain controller to be able to use LDAPS, and another one for a NPS and to be able to validate wifi connections)

    The question, finally, we have bought licenses to migrate it, and I have doubts and I have 2 options ...

    1. Migrate it from 2003 to 2012 via
    A) Backup CA with private key, export registration key
    B) Unlock CA 2003 and turn it off (here I have doubts about whether to depromote the member server, remove AD machine account or simply turn off this server and add 2012 with the same name as 2003
    C) Install a 2012, with the same name and ip as 2003 and add it to the domain.
    D) Install CA in 2012 and install with the private key, restore backup, and import registration key 2003

    2) Eliminate 2003 altogether.....and install a completely new CA 2012, with the new features.....type SHA256 instead of SHA1

    My question is.....being a very small PKI, is it worth migrating? Or does it take less time to install a new one and create new certificates for the DC and NPS

    What would you do?

    Please... have some consideration, I'm IT Junior... I'm just getting started.

    Thank you! And I'm sorry if I said anything wrong.

    Translated with www.DeepL.com/Translator (free version)
    Sunday, July 12, 2020 4:03 PM

All replies