Solved

Certificate services

Posted on 2006-06-21
1
253 Views
Last Modified: 2013-12-04
Dear Frinds!
my question is regarding uninstalling an enterprise certificate authority, we have currently a Windows2000 DC with a windows2003 DC replica, I've nearly migrated all services from the win2000 dc to win2003dc replica, in order to sometime get rid of win2000 and seize its roles and move it to win2003 dc, one thing I did also is I removed the CA certificate auth from the win2000 dc , acually it was only used to create a certificate for isa to publish exchange.
1- is there any impact on the Domain after I removed the CA auth?
2- what things I should also do to clean-up after removal of the enterprise ca in the domain, specially if I want to install a new one later in case I need it?
3-later I want to setup a VPN based on radius and Certificates, is it nessesery to have enterprise CA auth,or a standalone will also do?
4-what is the prefered location of enterprise CA installation, meaning, should I install on DC or can it be located with exchange (domain Member)?

with regards

jordi
0
Comment
Question by:jordi67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 250 total points
ID: 16950439
1 - If you are sure it was only used for OWA, there will be little impact. If certificates were also issued based on an Autoenrollment Policy, you will need to rebuild the PKI infrastructure immediately. You will need to create a new CA to issue a new certificate for OWA before the existing one expires.
2 - None under normal circumstances.
3 - A stand-alone CA will do, but users can only self-enroll for certificates if it is AD Integrated (=Enterprise).
4 - Preferred setup (from security standpoint) is to install the Root CA on a dedicated machine (member server), and a Subordinate CA on another member server. Then the root CA is taken offline and stored in a physically secure location, to ensure the integrity of the Private Key pair, and only put back online to renew its own certificate/subordinate CA certificates or when a new Subordinate CA is added to the infrastructure. Obviously if you only use a single certificate only for Server authentication (OWA), this would be overkill and a single Root CA on a secure machine in the network will suffice, but remember it will be a compromise.



0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question