none
migrare Enterprise root CA RRS feed

  • Domanda

  • Salve a tutti,

    ho migrato l'enterprise root CA da un server 2003 ad un server 2012r2 tramite la seguente procedura:

    NB: il server di destinazione ha nome differente da quello di origine

    1. Backup delle CA sul vecchio server
    2. backup voce di registro HKLM\system\currentcontrolset\services\certsrv\configuration
    3. Rinominata key CAservername con nome nuovo server in file .reg
    4. rimosso servizio CA su vecchio server
    5. Agiunto ruolo CA su nuovo server
    6. Restorato Backup e chiave di registro

    Ora sul nuovo server vedo i certificati generati dal vecchio, tuttavia nei certificati la voce CRLDistributionPoint, mi riporta il nome del vecchio server.

    c'è qualche attività aggiuntiva da fare, oppure semplicemente alla scadenza dei certificati effettuerò il rinnovo dal Nuovo server senza conseguenze?

    PS: ho una policy che distribuisce la "trusted root certification autority" che contiene il certificato generato sul vecchio server, posso mantenere quello fino alla scadenza o devo rigenerarlo dal nuovo server?

    Grazie

    Michele

    lunedì 22 dicembre 2014 12:00

Risposte

  • Updating CRL Distribution Point and Authority Information Access Extensions

    In the scenario in which the host name of the target CA is different from the host name of the source CA, the URLs referenced in the authority information access and certificate revocation list (CRL) distribution point extensions of certificates that have already been issued by the source CA may contain references to the old host name. To prevent errors resulting from this, update the configuration of the target CA so that it continues to publish its CRL and CA certificate to the locations referenced by the existing certificates in addition to the locations required by the new CA location.

    To update CRL distribution point and authority information access extensions

        • On the target CA, open the Certification Authority snap-in.

        • Right-click the CA node, and click Properties.

        • On the Properties page, click the Extensions tab.

        • Add the required authority information access and CRL distribution point extensions.

          The exact steps required will vary based on the extensions configured on the source CA. The following steps include the minimum steps required if the source CA had the default extension settings.

          • Add one new CRL distribution point extension to enable the CA to publish CRLs to the location the original CA included in issued certificates: ldap:///CN=CATruncatedNameCRLNameSuffix,CN=OriginalServerShortName,CN=CDP,CN=Public Key Services,CN=Services,ConfigurationContainerCDPObjectClass.
          • Replace OriginalServerShortName with the short name of the original CA host.
          • With the new location highlighted, select the Publish CRLs to this location and Publish Delta CRLs to this location check boxes.
          • Add any additional authority information access or CRL distribution point extensions required for validation of certificates issued by the original CA. For example, if custom authority information access or CRL distribution point extensions were configured on the source CA to be included in issued certificates, you will need to ensure that those paths resolve to locations where the new CA will publish current CA certificates and CRLs.
            noteNota
            This step is primarily intended for Lightweight Directory Access Protocol (LDAP) paths. An HTTP URL or Universal Naming Convention (UNC) path can also be resolved by using a redirect or another solution.

          • Click Apply, and click Yes to restart the CA.
        • Verify the CA can publish CRLs to the new location.

          • Open the Certification Authority snap-in.
          • Right-click Revoked Certificates, point to All Tasks, and click Publish.
          • Click either New CRL or Delta CRL only, and click OK.
      • Using Adsiedit.msc or other network tools, verify that the CA can publish to the new location.

    ref: http://technet.microsoft.com/it-it/library/cc742471(v=ws.10).aspx


    Edoardo Benussi
    Microsoft MVP - Directory Services
    edo[at]mvps[dot]org

    martedì 23 dicembre 2014 16:05
    Moderatore

Tutte le risposte

  • Ciao,

    Credo che abbia seguito questa procedura:

    http://technet.microsoft.com/en-us/library/dn486797.aspx

    Ho trovato anche un articolo  utile:

    decommissioning an old CA

    Saluti.


    • Microsoft offre questo servizio gratuitamente, per aiutare gli utenti e aumentare il database dei prodotti e delle tecnologie. Il contenuto viene fornito “così come è e non comporta alcuna responsabilità da parte dell’azienda.

    martedì 23 dicembre 2014 09:06
  • Updating CRL Distribution Point and Authority Information Access Extensions

    In the scenario in which the host name of the target CA is different from the host name of the source CA, the URLs referenced in the authority information access and certificate revocation list (CRL) distribution point extensions of certificates that have already been issued by the source CA may contain references to the old host name. To prevent errors resulting from this, update the configuration of the target CA so that it continues to publish its CRL and CA certificate to the locations referenced by the existing certificates in addition to the locations required by the new CA location.

    To update CRL distribution point and authority information access extensions

        • On the target CA, open the Certification Authority snap-in.

        • Right-click the CA node, and click Properties.

        • On the Properties page, click the Extensions tab.

        • Add the required authority information access and CRL distribution point extensions.

          The exact steps required will vary based on the extensions configured on the source CA. The following steps include the minimum steps required if the source CA had the default extension settings.

          • Add one new CRL distribution point extension to enable the CA to publish CRLs to the location the original CA included in issued certificates: ldap:///CN=CATruncatedNameCRLNameSuffix,CN=OriginalServerShortName,CN=CDP,CN=Public Key Services,CN=Services,ConfigurationContainerCDPObjectClass.
          • Replace OriginalServerShortName with the short name of the original CA host.
          • With the new location highlighted, select the Publish CRLs to this location and Publish Delta CRLs to this location check boxes.
          • Add any additional authority information access or CRL distribution point extensions required for validation of certificates issued by the original CA. For example, if custom authority information access or CRL distribution point extensions were configured on the source CA to be included in issued certificates, you will need to ensure that those paths resolve to locations where the new CA will publish current CA certificates and CRLs.
            noteNota
            This step is primarily intended for Lightweight Directory Access Protocol (LDAP) paths. An HTTP URL or Universal Naming Convention (UNC) path can also be resolved by using a redirect or another solution.

          • Click Apply, and click Yes to restart the CA.
        • Verify the CA can publish CRLs to the new location.

          • Open the Certification Authority snap-in.
          • Right-click Revoked Certificates, point to All Tasks, and click Publish.
          • Click either New CRL or Delta CRL only, and click OK.
      • Using Adsiedit.msc or other network tools, verify that the CA can publish to the new location.

    ref: http://technet.microsoft.com/it-it/library/cc742471(v=ws.10).aspx


    Edoardo Benussi
    Microsoft MVP - Directory Services
    edo[at]mvps[dot]org

    martedì 23 dicembre 2014 16:05
    Moderatore
  • Ciao Michele,

    Ad oggi il tuo quesito nel Forum di Active Directory e Group Policy è ancora aperto per noi.

    Se i consigli ricevuti ti sono stati utili, ricorda di evidenziare la soluzione cliccando su "Segna come Risposta". Se invece hai trovato un'altra soluzione nel frattempo, ti saremmo grati di condividerla anche qui, a beneficio degli altri utenti che seguono il thread.

    Grazie.


    • Microsoft offre questo servizio gratuitamente, per aiutare gli utenti e aumentare il database dei prodotti e delle tecnologie. Il contenuto viene fornito “così come è e non comporta alcuna responsabilità da parte dell’azienda.

    lunedì 5 gennaio 2015 10:19