Solved

Certificate services

Posted on 2006-06-21
1
248 Views
Last Modified: 2013-12-04
Dear Frinds!
my question is regarding uninstalling an enterprise certificate authority, we have currently a Windows2000 DC with a windows2003 DC replica, I've nearly migrated all services from the win2000 dc to win2003dc replica, in order to sometime get rid of win2000 and seize its roles and move it to win2003 dc, one thing I did also is I removed the CA certificate auth from the win2000 dc , acually it was only used to create a certificate for isa to publish exchange.
1- is there any impact on the Domain after I removed the CA auth?
2- what things I should also do to clean-up after removal of the enterprise ca in the domain, specially if I want to install a new one later in case I need it?
3-later I want to setup a VPN based on radius and Certificates, is it nessesery to have enterprise CA auth,or a standalone will also do?
4-what is the prefered location of enterprise CA installation, meaning, should I install on DC or can it be located with exchange (domain Member)?

with regards

jordi
0
Comment
Question by:jordi67
1 Comment
 
LVL 16

Accepted Solution

by:
Redwulf__53 earned 250 total points
ID: 16950439
1 - If you are sure it was only used for OWA, there will be little impact. If certificates were also issued based on an Autoenrollment Policy, you will need to rebuild the PKI infrastructure immediately. You will need to create a new CA to issue a new certificate for OWA before the existing one expires.
2 - None under normal circumstances.
3 - A stand-alone CA will do, but users can only self-enroll for certificates if it is AD Integrated (=Enterprise).
4 - Preferred setup (from security standpoint) is to install the Root CA on a dedicated machine (member server), and a Subordinate CA on another member server. Then the root CA is taken offline and stored in a physically secure location, to ensure the integrity of the Private Key pair, and only put back online to renew its own certificate/subordinate CA certificates or when a new Subordinate CA is added to the infrastructure. Obviously if you only use a single certificate only for Server authentication (OWA), this would be overkill and a single Root CA on a secure machine in the network will suffice, but remember it will be a compromise.



0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now