none
Direct Access moving to a new Certificate Authority RRS feed

  • Question

  • Hello;

    We are using an internal Microsoft certificate authority to issue certificates for Direct Access.  We are in the process of migrating between CA's but it appears that Direct Access only trusts a single CA at a time.  That makes it challenging when moving between CA's as its not a simple cutover.  Has anyone gone through this process?  Looking for some help on how to accomplish this.

    My fall back plan is to have every client request a new cert from the new CA, so each client would have two direct access certs, one from the old CA and one from the new CA.  Then swap what CA that Direct Access trusts.  The only issue is creating an unattended, automated script to accomplish the clients requesting a new Direct Access cert (certreq requires an INI, which is cumbersome).

    Thanks.

    Thursday, September 8, 2016 11:17 AM

All replies

  • Hello;

    We are using an internal Microsoft certificate authority to issue certificates for Direct Access.  We are in the process of migrating between CA's but it appears that Direct Access only trusts a single CA at a time.  That makes it challenging when moving between CA's as its not a simple cutover.  Has anyone gone through this process?  Looking for some help on how to accomplish this.

    My fall back plan is to have every client request a new cert from the new CA, so each client would have two direct access certs, one from the old CA and one from the new CA.  Then swap what CA that Direct Access trusts.  The only issue is creating an unattended, automated script to accomplish the clients requesting a new Direct Access cert (certreq requires an INI, which is cumbersome).

    Thanks.

    Your last option is indeed the answer. You have to make sure all your DirectAccess Clients have both computer certificates (from the old and new CA), then change the configuration on the DirectAccess Server(s).

    If you use certificate 'autoenrollment' with an Enterprise CA you don't have to create a script. When you pull down the 'to be issued' computer certificate template from the old CA, it is not available for enrollment and autoenrollment anymore. Then make sure your new CA can issue the computer certificate template. Your domain clients (DirectAccess Clients) will then request a second computer certificate.

    NOTE: In case they don't request a new (second) computer certificate you need to create a new Certificate Template with the same settings.


    Boudewijn Plomp | Conclusion FIT

    Please remember, if you see a post that helped you please click Vote as Helpful, and if it answered your question, please click Mark as Answer. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, October 19, 2016 8:59 AM