none
Setting up an additional Enterprise CA on my Domain RRS feed

  • Pergunta

  • I have a Microsoft Enterprise CA server running on Server 2012r2 on my domain (AD Certificate Services). The Certification Authority was migrated some years ago from an old Server 2013 box that was decommisioned.

    The current CA uses SHA1 and needs moving to SHA256. having researched this, our current Cryptographic Provider is "Microsoft Strong Cryptographic Provider" I understand the process of moving toSHA256 involves backing up the current CA (inc Private key), deleting these keys, moving to SHA256 including restoring root CA certificates as per https://www.petenetlive.com/KB/Article/0001243

    I have very limited knowledge of installing and managing CAs but I have fallen at the first hurdle as backing up the current CA will not allow backing up of the Private Key and CA Cert (message "windows cannot backup one or more private keys because the csp does not support key export").

    I have seen suggestions in some posts that it would be easier to create a new Enterprise CA and migrate services towards this over a period of time and then decomission the older CA.

    Does anyone have a view on this? In particular can AD have multiple CAs in the same domain and presumably each CA would need to be on a different server. Would a newly installed CA by default be based on SHA256? What would be the correct sequence to set up new CA, re-point my hosts etc. My Certificate policy templates are published in "Active Directory enrollment Policy" . Is what I am proposing possible as I would potentially have different certificate templates for each CA?

    Grateful for any advice

    quarta-feira, 27 de maio de 2020 13:07

Respostas

  • Daisy thank you for your thorough reply.

    I have annotated these below with some additional information.

    Q1:I have seen suggestions in some posts that it would be easier to create a new Enterprise CA and migrate services towards this over a period of time and then decomission the older CA.Does anyone have a view on this? A1: 1.How many CA root certificates do we have about current CA? We can check through opening CA properties\General tab\CA certificates.

    There are 3 root certs (2 expired)

    2.Check whether the private keys corresponding to all the CA root certificates can be exportable.If the private keys corresponding to all the CA root certificates can not be exportable and we have no current latest backup (.p12 file)for the CA. We need to create a new Enterprise CA.

    I used the Certificates mmc on the CA server “/local computer /personal” to see if I could export the certs. The option to  “yes , export the private key” is greyed out.  If I try and use the Certification Authority snap in the back up the “Private key and certificate” I get the warning mentioned in the original post but a xxxx.p12 file is created by the backup.

    I may have an old backup produced by the GUI from before the CA was migrated from the old Server 2013.

    If this is not available do you think a new CA is the way forward?

     

     Q2:In particular can AD have multiple CAs in the same domain and presumably each CA would need to be on a different server. A2:Yes, we can have multiple CAs in the same domain.

     

    Q3:Would a newly installed CA by default be based on SHA256? A3:If we set up CA on Windows server 2016 or 2019, the newly installed CA by default is based on SHA256.

    Any new CA would be based on Server 2012R2. Would I have the option of selecting SHA256 during the CA Configuration?

    Thanks


    • Marcado como Resposta Ian W68 quarta-feira, 3 de junho de 2020 18:28
    quinta-feira, 28 de maio de 2020 11:30
  • Hi,
    Thank you for your update.

    If this is not available do you think a new CA is the way forward?
    A:Yes, if it is not available, we should set up a new CA structure.

    Any new CA would be based on Server 2012R2. Would I have the option of selecting SHA256 during the CA Configuration?

    A:Yes,there is option we can choose during we configuration below.


    Reference:
    ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
    https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 29 de maio de 2020 03:56

Todas as Respostas

  • Hello,
    Thank you for posting in our TechNet forum.

    Here are the answers for our questions:

    Q1:I have seen suggestions in some posts that it would be easier to create a new Enterprise CA and migrate services towards this over a period of time and then decomission the older CA.Does anyone have a view on this?
    A1:
    1.How many CA root certificates do we have about current CA? We can check through opening CA properties\General tab\CA certificates.

    2.Check whether the private keys corresponding to all the CA root certificates can be exportable.If the private keys corresponding to all the CA root certificates can not be exportable and we have no current latest backup (.p12 file)for the CA. We need to create a new Enterprise CA.

    Q2:In particular can AD have multiple CAs in the same domain and presumably each CA would need to be on a different server.
    A2:Yes, we can have multiple CAs in the same domain.

    Q3:Would a newly installed CA by default be based on SHA256?
    A3:If we set up CA on Windows server 2016 or 2019, the newly installed CA by default is based on SHA256.

    Q4:What would be the correct sequence to set up new CA, re-point my hosts etc. My Certificate policy templates are published in "Active Directory enrollment Policy" . Is what I am proposing possible as I would potentially have different certificate templates for each CA?
    A4:
    1.We can keep the old CA and set up another new CA in your domain.
    2.After we set up a new CA on Windows server 2016/2019, we can check that the new CA server is healthy, and we can use the new CA to issue certificates.
    3.We can temporarily retain the Windows server 2012 R2 CA server. 
    4.Or if we do not need the old Windows server 2012 R2 CA server in the future, we ensure all the certificates issued by this Windows server 2012 R2 CA server are expired and we reenroll these expired certificates using the new Windows server 2016 CA server, or we ensure all the certificates we are using are reissued using the new Windows server 2016/2019 CA server, then we can decommission the old Windows server 2012 R2 CA server and remove all related objects if needed.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    quinta-feira, 28 de maio de 2020 03:46
  • Daisy thank you for your thorough reply.

    I have annotated these below with some additional information.

    Q1:I have seen suggestions in some posts that it would be easier to create a new Enterprise CA and migrate services towards this over a period of time and then decomission the older CA.Does anyone have a view on this? A1: 1.How many CA root certificates do we have about current CA? We can check through opening CA properties\General tab\CA certificates.

    There are 3 root certs (2 expired)

    2.Check whether the private keys corresponding to all the CA root certificates can be exportable.If the private keys corresponding to all the CA root certificates can not be exportable and we have no current latest backup (.p12 file)for the CA. We need to create a new Enterprise CA.

    I used the Certificates mmc on the CA server “/local computer /personal” to see if I could export the certs. The option to  “yes , export the private key” is greyed out.  If I try and use the Certification Authority snap in the back up the “Private key and certificate” I get the warning mentioned in the original post but a xxxx.p12 file is created by the backup.

    I may have an old backup produced by the GUI from before the CA was migrated from the old Server 2013.

    If this is not available do you think a new CA is the way forward?

     

     Q2:In particular can AD have multiple CAs in the same domain and presumably each CA would need to be on a different server. A2:Yes, we can have multiple CAs in the same domain.

     

    Q3:Would a newly installed CA by default be based on SHA256? A3:If we set up CA on Windows server 2016 or 2019, the newly installed CA by default is based on SHA256.

    Any new CA would be based on Server 2012R2. Would I have the option of selecting SHA256 during the CA Configuration?

    Thanks


    • Marcado como Resposta Ian W68 quarta-feira, 3 de junho de 2020 18:28
    quinta-feira, 28 de maio de 2020 11:30
  • Hi,
    Thank you for your update.

    If this is not available do you think a new CA is the way forward?
    A:Yes, if it is not available, we should set up a new CA structure.

    Any new CA would be based on Server 2012R2. Would I have the option of selecting SHA256 during the CA Configuration?

    A:Yes,there is option we can choose during we configuration below.


    Reference:
    ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
    https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 29 de maio de 2020 03:56
  • Hi,

    I'm just following up to make sure you received my last email and that my answers properly address your questions. If you have any further questions or concerns about this case, please let me know.

    Thank you for your understanding and cooperation.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    segunda-feira, 1 de junho de 2020 09:11
  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    terça-feira, 2 de junho de 2020 10:31
  • Hi Daisy.

    I set up the new CA on Monday and started the process of replacing Certs on my internal Web Servers.

    My plan is to ensure that all of these are replaced before decommissioning the original Ca. I assume the process would be to use Server Manager to remove the role.

    Thanks once again for your invaluable help.

    Best wishes

    quarta-feira, 3 de junho de 2020 18:28
  • Hello,

    Thank you for your update and marking my reply as answer. I’m very glad that the information is helpful.

    Here is an article related to how to decommission a Windows enterprise certification authority for your references.
    How to decommission a Windows enterprise certification authority and remove all related objects
    https://support.microsoft.com/en-gb/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    quinta-feira, 4 de junho de 2020 08:32