Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Certificate services

Posted on 2006-06-21
1
Medium Priority
?
254 Views
Last Modified: 2013-12-04
Dear Frinds!
my question is regarding uninstalling an enterprise certificate authority, we have currently a Windows2000 DC with a windows2003 DC replica, I've nearly migrated all services from the win2000 dc to win2003dc replica, in order to sometime get rid of win2000 and seize its roles and move it to win2003 dc, one thing I did also is I removed the CA certificate auth from the win2000 dc , acually it was only used to create a certificate for isa to publish exchange.
1- is there any impact on the Domain after I removed the CA auth?
2- what things I should also do to clean-up after removal of the enterprise ca in the domain, specially if I want to install a new one later in case I need it?
3-later I want to setup a VPN based on radius and Certificates, is it nessesery to have enterprise CA auth,or a standalone will also do?
4-what is the prefered location of enterprise CA installation, meaning, should I install on DC or can it be located with exchange (domain Member)?

with regards

jordi
0
Comment
Question by:jordi67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 1000 total points
ID: 16950439
1 - If you are sure it was only used for OWA, there will be little impact. If certificates were also issued based on an Autoenrollment Policy, you will need to rebuild the PKI infrastructure immediately. You will need to create a new CA to issue a new certificate for OWA before the existing one expires.
2 - None under normal circumstances.
3 - A stand-alone CA will do, but users can only self-enroll for certificates if it is AD Integrated (=Enterprise).
4 - Preferred setup (from security standpoint) is to install the Root CA on a dedicated machine (member server), and a Subordinate CA on another member server. Then the root CA is taken offline and stored in a physically secure location, to ensure the integrity of the Private Key pair, and only put back online to renew its own certificate/subordinate CA certificates or when a new Subordinate CA is added to the infrastructure. Obviously if you only use a single certificate only for Server authentication (OWA), this would be overkill and a single Root CA on a secure machine in the network will suffice, but remember it will be a compromise.



0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question