none
Timing of obsoleting an old CA to bringing up a new CA RRS feed

  • Question

  • All,

    I've got an active two-tier CA running on 2008 R2. I've configured a new two-tier CA, running on 2016. It seems to be functioning correctly - at the very least, pkiview.msc shows no errors for either CA.

    The new CA has no templates, so I'm seeing a lot of failed requests. That's all good.

    However, I believe I have a timing problem, in three areas.

    - We use a cert from the old CA for ssl inspection at our firewalls

    - We use certs from the old CA for 802.1x authentication for wireless

    - Our DirectAccess infrastructure depends on certs from our old CA, and we have staff in the field at customer sites that require pretty much 24x7 access to corporate resources

    Complicating this is that we're in a bit of a growth spurt, and are enabling new machines and users frequently

    How do I handle turning off the old one and issuing templates to the new one, so that I have minimal or (ideally) no impact on user experience?

    Thanks,

    Kurt

    Wednesday, April 24, 2019 11:50 PM

All replies

  • Hi,
    Thank you for posting in our TechNet forum.

    Whether we will migrate certificate services within the same AD forest. If so, we simply build a new PKI in parallel. We install new root certificate to clients via AD or GPO . We will get two trusted PKI roots and certificates issued by any of them will be equally trusted.

    In order to move certificates from old PKI to new PKI, we get the list of certificate templates issued by old CA and install them to new CA. Then, remove these templates from old CA (clear all templates from old CA). Old CA will continue CRL publication, so existing certificates will work as previously. The only difference will be: any new or renewal certificate request will be submitted to new CA. And when all certificates issued by old CA will expire or replaced with new ones (from new CA), then if everything works fine, we may consider to decommission old CA/PKI.


    For details we can refer to the following articles:


    ADCS: Migrate Windows Server 2008 R2 CA to a New Server 2012/r2 or 2016

    Tip: It is recommended to test in the test environment in advance so that we can migrate more smoothly in the production environment.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 25, 2019 7:23 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 29, 2019 7:30 AM
    Moderator
  • Got buried at work. I will look over the links you posted and get back with questions.

    Thanks,

    Kurt

    Monday, April 29, 2019 9:41 PM
  • The links supplied do not seem to be relevant to my situation. All three of them seem to be regarding backing up a current CA and restoring it to a new CA.

    That is not my situation.

    I have stood up an entirely new CA, and now wish to have them co-exist for a short while until either the old certs have expired, or sufficient numbers of clients have gathered the new certs so that I can switch over the certs used on the Firewalls, RADIUS servers and DirectAccess infrastructure.

    Kurt

    Monday, April 29, 2019 9:46 PM
  • Hello,
    I am sorry that I misunderstood.

    Do we install the two-tier CA running on 2008 R2 and the new two-tier CA running on 2016 in the same domain?

    According to "The new CA has no templates, so I'm seeing a lot of failed requests. That's all good", do we mean the new CA does not have default template or the new CA has the default template but does not have the same template as 2008 R2 (including default template and custom template) ? 



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 30, 2019 5:36 AM
    Moderator
  • Both CAs are in the same single-forest/single-domain environment.

    I brought up the new two-tier CA, and noted that a few (less than 10, IIRC) machines got certs from the issuing CA. I then deleted all of the templates on the issuing CA, and since then have noticed lots of failed requests on the new issuing CA, but not on the old issuing CA.

    Kurt

    Tuesday, April 30, 2019 10:18 PM
  • Your scenario implies a lot a questions as to how the new PKI was setup. So, to the specific question. 

    On the new Issuing CA(s), in the Certification Authority MMC, you need to delete the templates showing when clicking on Certificate Templates in the left panel. Next, on the old current Issuing CA note the templates in the same area and add them in your new Issuing CA. You do this by right-clicking Certiicate Templates and selecting New\Certificate Template to Issue and selecting the same templates seen on the old CA. None of this is in the Manage area. 

    Test enrollments with these templates on the new CA and once you see they are working as before; you can then remove the templates from the old Issuing CA(s) so that new enrollments only come from your new CA. 

    All of this assumes of course that the chain certs for the new CA are available to machines and users in your environment. PKI View, as you suggest, shows that the new Root has been published and the CRL is available, but test all of this with the new Issuing CA(s) in place. 

    Again, there is a lot of other work in this scenario that needs to be done.


    Regards,

      Bill

    Bill Stites - PKI Consultant

    Bill Stites, PKI Consultant , started in PKI at Providence Health & Services
    in the Pacific Northwest in 2006. He has since consulted in the design and implementation of PKIs
    and certificate management systems in retail, government and insurance organizations.
     


    Wednesday, May 1, 2019 4:01 PM
  • "On the new Issuing CA(s), in the Certification Authority MMC, you need to delete the templates showing when clicking on Certificate Templates in the left panel."

    As I mentioned earlier, I did delete the templates on the new issuing CA.

    "Next, on the old current Issuing CA note the templates in the same area and add them in your new Issuing CA"

    Before I do that, I'd like to understand what happens when I do that. In particular, the three things I mentioned at my first posting concern me greatly - old certs are currently installed for 802.1x Wireless, SSL inspection at our firewalls and DirectAccess - and I don't yet understand how (or if!) the new CA infrastructure will allow me to manage the transition to the new certs that are being issued from a completely new CA infrastructure. There's also a concern regarding certs that were issued by the old CA expiring in the interim while I manage the transition to the new CA, and haven't yet switched our 802.1x, firewalls and DirectAccess to the new certs.

    But, on to this statement: "Test enrollments with these templates on the new CA and once you see they are working as before; you can then remove the templates from the old Issuing CA(s) so that new enrollments only come from your new CA. "

    I ran an inadvertent test while bringing up the new CA - several machines got certs from the new CA, when their certs from the old CA expired, and didn't get certs from the old CA, and this caused problems for those machines. That is when I deleted the templates from the new CA, went to the machines in question, deleted those new certs, and they picked up certs from the old CA thereafter.

    Lastly, pkiview.msc shows both CAs, and both healthy - is that part of your point, or are you after something else?

    Wednesday, May 1, 2019 9:39 PM
  • Given all of that, you'll need to explore why the enrollments are failing from the new Issuing CA. 
    A simple test of your new issuing CA would be to configure the default Web Server template giving a test server read and enroll permissions. Add it to the CA Certificate Templates so that it is the only certificate showing in that list. Go to your test server and enroll for a certificate from that template. If there are any problems then it is likely to indicate what your issues are for the other enrollments from the new Issuing CA. 

    Regards,

      Bill

    Bill Stites - PKI Consultant

    Bill Stites, PKI Consultant , started in PKI at Providence Health & Services
    in the Pacific Northwest in 2006. He has since consulted in the design and implementation of PKIs
    and certificate management systems in retail, government and insurance organizations.
     

    Thursday, May 2, 2019 3:52 PM
  • Just to make sure I'm following you:

    - spin up a test web server

    - provision a web server template on the new CA with permissions to it granted only to the test web server

    - Go to test web server and enroll for certificate

    - It should get certs from both the old and new CAs

    - gather results and understand where there are failures to issue, if any.

    Is this correct?

    In the interest of providing more/better info, here are two screenshots, the first from the old CA, the second from the new CA, showing AIA/CDP/OCSP settings - I don't if they'll help or not in diagnostics:

    Old CA

    New CA

    Friday, May 3, 2019 7:48 PM
  • "- It should get certs from both the old and new CAs"   
    No, since you have only published on the new CA, (Added to the Certificates Templates section of the CA MMC) the new template is not available on the old CA since you haven't added it there yet (published)

    This is where your troubleshooting starts, with the enrollment for a certificate from the new CA's new template (this should also be the only template available, of course, for now).

    Once you get the cert, bind it if you wish to an IIS instance, or what have you. Every step of this is to ensure that first of all you are successfully connecting to the new CA and successfully enrolling for certificates. 

    If all this works fine, you can try it with an existing template (published on the old CA). Add it to the new CA and remove it from the old CA - just long enough to  test with an appropriate device for that certificate. Don't test with a certificate configured for autoenrollment. All your trying to do is test enrollment for your new CA.

    If the CA is configured correctly then it will issue certs using the same templates once you have added them to the new CA and removed them from the old CA. The removal of the templates simply prevents new enrollments for that template on the CA.

    Of course, all of this would be much easier to test in a lab environment.

    In the PKI View windows, do you see success for the Root CA as well?

    Hope that helps,


    Regards,

      Bill

    Bill Stites - PKI Consultant

    Bill Stites, PKI Consultant , started in PKI at Providence Health & Services
    in the Pacific Northwest in 2006. He has since consulted in the design and implementation of PKIs
    and certificate management systems in retail, government and insurance organizations.
     

    Saturday, May 4, 2019 12:05 AM
  • I think we're talking at cross purposes here, and I think I need give and receive more clarification.


    KB> "- It should get certs from both the old and new CAs"   
    BS> No, since you have only published on the new CA, (Added to the Certificates Templates section of the CA MMC) the new template is not available on the old CA since you haven't added it there yet (published)
    .

    BS> If the CA is configured correctly then it will issue certs using the same templates once you have added them to the new CA and removed them from the old CA.

    Uh, currently there are no templates published on the new CA. If a new/updated template *is* published on the new CA (that is, one that is different from the templates published on the new CA, perhaps an updated duplicate of the Computer template with a different name and SHA2 vs. SHA1), and the old template is left on the old CA, will the computers get the new and old certificates issued upon request?

    Further, I presume that the using the old computer template on the new CA will not result in a new certificate chained to the old root and intermediate certs, but instead a new certificate chaned to the new root and intermediate cert from the new CA.

    Is that correct?

    Kurt

    Tuesday, May 7, 2019 12:51 AM
  • OK. I've been doing more SFTW, and found this:

    https://blogs.technet.microsoft.com/pki/2012/01/27/decommissioning-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-operations-to-a-new-one/

    That also leads to this, which I'm reading first, so that I better understand the first article:

    https://blogs.technet.microsoft.com/askds/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki/

    I'm pretty sure I'll have another question or two once I've done reading these.

    Kurt

    Wednesday, May 8, 2019 5:53 PM