none
How can I migrate to a new CA without breaking DA? RRS feed

  • Question

  • Hi,

     We currently have DA running on Windows 2012 R2 using a SHA1 CA. We've deployed a new SHA256 CA running on Windows 2016. Currently, both CAs are running side by side, with the SHA1 being the primary CA for the organisation, .e.g it's been used by GPOs to auto enroll computer certificates and it's used by the DA server. Both CAs are trusted by the organisation.

    We're now in a position to migrate over to the new SHA256 CA, what's the best way to do this without interrupting the current DA service for clients?

    Thanks

    Thursday, July 26, 2018 8:07 AM

Answers

  • Yes, unfortunately that is correct. The way that I generally handle this situation is to try my best to coordinate the CA server replacement with also swinging over to a new DirectAccess server at the same time. (a little more detail on that in my last post) If this is a possibility, we can make it a clean migration where users do not have to visit the office.

    If you have any specific questions or concerns on it, or just need to verify anything, feel free to get ahold of me directly as well.

    Jordan.Krause@ivonetworks.com

    Thursday, August 23, 2018 2:41 PM

All replies

  • Hiya,

    If both CA's are running in parallel, you should be able to create new certificates from the compliant CA and add those to your certificate policies. When you have done that, you can replace the various certificates on your Direct Access server.

    0: Make sure you control which CA is actually issuing new certificates, as described in this answer:

    https://serverfault.com/questions/276342/adding-new-root-enterprise-ca-without-disturbing-existing-one

    After that, you should focus on two things:

    1: Add new ones to GPO, allow a few days to pass, so that you are sure that clients have recieved new CA certificate(s). Dont forget full chain, if you are using seperate Root CA. When all clients have the new certificate chain(Intermediate + Root) in certificate store, proceed.

    2: Update autoenrollment policy(Template) of certificates from new CA instead of old CA.

    When those two are in place, you can go ahead and replace the existing certificates in your Direct Access environment so it uses certifictes from the newly issuing server.

    https://directaccess.richardhicks.com/2016/11/15/directaccess-expired-ip-https-certificate-and-error-0x800b0101/

    3: Clean up.

    Monday, July 30, 2018 10:21 AM
  • Unfortunately this is a tricky one. As stated above, you can certainly issue certificates from both CAs out to both the DA server and all of your DA workstations, that part is pretty easy. Then you'll have new certificates everywhere, but the DirectAccess config will still be using only the old certificates for its authentication.

    The next step you must take is to modify Step 2 inside the DA config wizards, and choose the new root CA for the machine certificate authentication. When you do this, the GPOs will be updated to reflect the new CA server, and the DirectAccess server will immediately start validating client IPsec tunnels against the new CA server. This will break all DirectAccess connections. This happens because all of the client computers still have the "old" GPO settings, referencing the old CA server. The client computers need to get the new GPO settings that tell them they need to call for the new CA server before they will be able to connect again.

    So to do a pure migration from one CA to another involves making all of the client computers check back in and grab new GPO settings, whether they are on-LAN or connecting through some other VPN.

    The way that I have been able to circumvent this a few times is when the company has been in a position to install not only a new CA server, but to have a new DirectAccess server at the same time. This makes everything much more straightforward and smooth. Create the new DA server, "marry" it to the new CA server (so the old DA server continues to work with the old CA server), and then once both DA environments are up and running in parallel, you can migrate users from one DA server to the other in clean fashion, whether those computers are inside the office or working remotely. This is something I have done numerous times with great results, so I know it works.

    Monday, July 30, 2018 5:19 PM
  • Hi Jordan,

    Thanks for the reply, I just want to double check:

    "When you do this, the GPOs will be updated to reflect the new CA server, and the DirectAccess server will immediately start validating client IPsec tunnels against the new CA server. This will break all DirectAccess connections. This happens because all of the client computers still have the "old" GPO settings, referencing the old CA server. The client computers need to get the new GPO settings that tell them they need to call for the new CA server before they will be able to connect again."

    In summary, if the DA clients and the DA server both have certificates from the old and new CA, when we switch the DA server certificate over from the old CA to the new, it will break DA connections until the DA clients are connected back to the corporate network (i.e. brought into the office) and update their GPOs?

    If so, that's going to be a pain :-( 

    Thursday, August 23, 2018 1:11 PM
  • Yes, unfortunately that is correct. The way that I generally handle this situation is to try my best to coordinate the CA server replacement with also swinging over to a new DirectAccess server at the same time. (a little more detail on that in my last post) If this is a possibility, we can make it a clean migration where users do not have to visit the office.

    If you have any specific questions or concerns on it, or just need to verify anything, feel free to get ahold of me directly as well.

    Jordan.Krause@ivonetworks.com

    Thursday, August 23, 2018 2:41 PM