Solved

Certificate services

Posted on 2006-06-21
1
247 Views
Last Modified: 2013-12-04
Dear Frinds!
my question is regarding uninstalling an enterprise certificate authority, we have currently a Windows2000 DC with a windows2003 DC replica, I've nearly migrated all services from the win2000 dc to win2003dc replica, in order to sometime get rid of win2000 and seize its roles and move it to win2003 dc, one thing I did also is I removed the CA certificate auth from the win2000 dc , acually it was only used to create a certificate for isa to publish exchange.
1- is there any impact on the Domain after I removed the CA auth?
2- what things I should also do to clean-up after removal of the enterprise ca in the domain, specially if I want to install a new one later in case I need it?
3-later I want to setup a VPN based on radius and Certificates, is it nessesery to have enterprise CA auth,or a standalone will also do?
4-what is the prefered location of enterprise CA installation, meaning, should I install on DC or can it be located with exchange (domain Member)?

with regards

jordi
0
Comment
Question by:jordi67
1 Comment
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 250 total points
ID: 16950439
1 - If you are sure it was only used for OWA, there will be little impact. If certificates were also issued based on an Autoenrollment Policy, you will need to rebuild the PKI infrastructure immediately. You will need to create a new CA to issue a new certificate for OWA before the existing one expires.
2 - None under normal circumstances.
3 - A stand-alone CA will do, but users can only self-enroll for certificates if it is AD Integrated (=Enterprise).
4 - Preferred setup (from security standpoint) is to install the Root CA on a dedicated machine (member server), and a Subordinate CA on another member server. Then the root CA is taken offline and stored in a physically secure location, to ensure the integrity of the Private Key pair, and only put back online to renew its own certificate/subordinate CA certificates or when a new Subordinate CA is added to the infrastructure. Obviously if you only use a single certificate only for Server authentication (OWA), this would be overkill and a single Root CA on a secure machine in the network will suffice, but remember it will be a compromise.



0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now