Direct Access Migration of Root CA RRS feed

  • Question

  • We currently have a Domain Controller "DC01"
    On this DC01 is Certificate Services installed and the name for this CS is "DC01"
    CDP location on this CA "DC01" is <servername> so it's LDAP://DC01 (and only LDAP is on the CRL location)
    We issue with AutoEnrollment the default/version1 "Computer" certificate template
    All our internal clients and externals laptop clients have a "Computer" certificate from "DC01"

    Currently we have UAG SP3 with Direct Access enabled and clients are connecting successfull all over the world.

    Now we want to migrate the "DC01" Domain Controller to Server 2012 R2 and move the Certificate Services to a new member server and setup a new Root CA "CS01"
    This means we need to do two things to keep everything working.

    1. Give all clients a "Computer" certificate from the new Root CA "CS01"
    2. On UAG change the IP-HTTPS Certificate that is used to authenticate to Direct Access client

    For this following actions i presume need to be done

    1.Giving all clients a "Computer" certificate from the new Root CA "CS01" 
    As "reenroll all certificate holders" is not available for default/version1 "Computer" certificates i cannot do this.
    So idea is to duplicate the "Computer" certificate template to a v2 template that supersedes the "Computer" template this effectively replaces all current "Computer" certificates

    This means the client cannot setup a Direct Access connection anymore cause step 2. above , The UAG IP-HTTPS certificate that is used to authenticate to Direct Access client is still the old Root CA "DC01"

    Question1: What can i do to prevent this "locking out" of Direct Access clients that have a new Computer certificate but the certificate on the UAG is still the old Root CA ?

    Another idea would be NOT to supersede the old v1 "Computer" certificate of a client but let the client AutoEnroll for a "Computer" v2 (duplicated) certificate from the new CA "CS01" but then the clients has 2 computer certificates, 1 from the old CA "DC01" and 1 from the new CA "CS01"

    Question2: Can a Windows 7 client have 2 Computer certificates from 2 CA's (a v1 and v2 computer certificate) and will Direct Access still work for this client?
    Friday, January 9, 2015 9:06 AM