Under construction: This guide is a work in progress and is not complete. The original author will remove this note when the guide is ready for use.
Applies to Windows Server 2008 R2, Windows 7 **** NEED TO INCORPORATE ADVICE FROM http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx ****
This topic contains instructions for setting up a test lab based on the Base Configuration TLG for Windows Server 2008 R2 and deploying <product/technology> using three (3) server computers and one (1) client computers. The resulting test lab demonstrates how to move from a single-tier PKI hierarchy to a two-tier PKI hierarchy with an offline root CA. Important The following instructions are for configuring a this test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network. The computers from the Base Configuration TLG that are used in this lab include:
ORCA1 will be the new root certification authority for Contoso. The configuration steps for ORCA1 consist of the following procedures.
<description and procedure>
↑ Return to Top
To ensure that the offline root CA is the authoritative CA, you must remove the root CA from DC1
<Description and procedures>
Tip: If you are using Hyper-V as the host for your lab environment, you can use the instructions in the article Creating, Using, and Transferring Files using Virtual Floppy Disks for creating the removable media needed to move the certificate from one virtual machine to another.