Understanding PKI infrastructure and how it works - migration
Question
Answers
-
Hi,
>>If I create another Computer Certificate and give it the correct rights, why is it not listed as an option here in addition to computer, domain controller, enrolment agent and ipsec?
From the article Automatic Certificate Request Settings, we can see:
ACRS is an automated enrollment process that is available in Windows 2000 Certificate Services and remains available in Windows Server 2003 Certificate Services. ACRS provides a method to automatically distribute certificates, but the supported scenarios are limited:
■ Certificates can be distributed to Windows 2000, Windows XP, and Windows Server 2003 computers that are domain members.
■ Only version 1 certificate templates can be distributed.
■ Certificates cannot be distributed to user accounts.
So if we duplicate a certificate, we need to change the version to 1 in ADSI.
Then issue the certificate and we will see it in GPO.
>>how do we know it is pointing to the new server as it doesn't specify the server or CA name.
We can define the different certificate template name on different CA server.
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Daisy ZhouMicrosoft contingent staff, Moderator Friday, October 25, 2019 9:05 AM
- Marked as answer by ITHelpdeskWD17 Tuesday, October 29, 2019 3:14 PM
All replies
-
Hello,
Thank you for posting in our TechNet forum.
Here are the answers for our questions:
Q1: I want to understand how certificates auto-renew themselves. I cannot find any GPO so not sure exactly how this works. Does CA control this, AD or the actual cert
A1: From the article How Certificates Work, we can see:
Renewal period. The time before the validity period expires when the certificate will be renewed, if reenrollment is supported for the certificate template. By default, the minimum renewal period is 80 percent of the certificate lifetime or 6 weeks, whichever is greater.
And from the third-part article Tips for Certificate Auto-Enrollment Issuance, we can see:Renewal. This is the most misunderstood part of the auto-enroll process. Every certificate issued has a renewal period as part of the template. This does not necessarily mean that the certificate will renew at the exact beginning of that period. For renewal of auto-enrolled certificates, two time frames exist before the action is taken.
First the certificate has to have completed 80% of its validity period and be within the renewal period. So as an example, a certificate that is valid for 1 year reaches the 80% mark at around 41.5 weeks and if the cert has a 6 week renewal period, then the renewal would happen at the 46 week period. So this would happen during the renewal period.
For certificates auto renewal, we need to configure two settings:
1. We need to set up the GPO:
Computer Certificates Auto-Enrollment (if it is machine certificate)
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies >Certificates Services Client – Auto-Enrollment
And
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings > New > Automatic Certificate Request.
User certificates Auto-Enrollment (if it is user certificate)
User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies >Certificates Services Client – Auto-Enrollment
For details we can refer to the article Set Up Automatic Certificate Enrollment (Autoenroll).
2. We need to check the Read, Enroll and Autoenroll permissions for specific group or user on the certificate template.
Here is a similar case Renewal of Auto-enrolled certificates made through web enrollment.
Q2: From the above migration plan, if I am to remove the SubCA from the domain and change the computer name so that I can add this to the new 2019 server. In the case of a migration failure, what is the best way to roll back?
A2: We recommend not removing SubCA from the domain, adding a new 2019 server to the domain, and migrating the CA from 2008 R2 to 2019, if the CA environment is running normally, and then until the last certificate issued by the old 2008 R2 CA is expired, or until the last valid certificate has been reissued by the new CA server, at last, we can retire the old 2008 R2 CA server.
From the article Performing the Upgrade or Migration, we can see:
When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same.
And from the article Migrating AD Certificate Services from Windows Server 2008 to Windows Server 2016, we can see:
Unfortunately we cannot migrate the CA database directly form Server 2008 to Server 2016 because the JET database engine changed so much between the two versions that if we restore the backup we get a JET version error at startup and the CA won't start.
But if we add one more step we can successfully fulfill the above tasks.
This additional step is to first restore the DB backup to a Server 2012 R2 CA and then backup the DB again form there. This new backup now can be restored to the Server 2016 CA or the Server 2019 CA.
Reference:
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2
https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/
Tip 1: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Tip 2: Each of the CA migration steps contains a lot of operations, please test it in the test environment first, so as to avoid problems in the production environment, or it can be better solved. If there are no problems in the test environment, we will operate in a production environment.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact
- Edited by Daisy ZhouMicrosoft contingent staff, Moderator Wednesday, October 23, 2019 7:17 AM
- Proposed as answer by Daisy ZhouMicrosoft contingent staff, Moderator Monday, October 28, 2019 8:50 AM
-
Hi,
>>If I create another Computer Certificate and give it the correct rights, why is it not listed as an option here in addition to computer, domain controller, enrolment agent and ipsec?
From the article Automatic Certificate Request Settings, we can see:
ACRS is an automated enrollment process that is available in Windows 2000 Certificate Services and remains available in Windows Server 2003 Certificate Services. ACRS provides a method to automatically distribute certificates, but the supported scenarios are limited:
■ Certificates can be distributed to Windows 2000, Windows XP, and Windows Server 2003 computers that are domain members.
■ Only version 1 certificate templates can be distributed.
■ Certificates cannot be distributed to user accounts.
So if we duplicate a certificate, we need to change the version to 1 in ADSI.
Then issue the certificate and we will see it in GPO.
>>how do we know it is pointing to the new server as it doesn't specify the server or CA name.
We can define the different certificate template name on different CA server.
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Daisy ZhouMicrosoft contingent staff, Moderator Friday, October 25, 2019 9:05 AM
- Marked as answer by ITHelpdeskWD17 Tuesday, October 29, 2019 3:14 PM
