• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 256
  • Last Modified:

Certificate services

Dear Frinds!
my question is regarding uninstalling an enterprise certificate authority, we have currently a Windows2000 DC with a windows2003 DC replica, I've nearly migrated all services from the win2000 dc to win2003dc replica, in order to sometime get rid of win2000 and seize its roles and move it to win2003 dc, one thing I did also is I removed the CA certificate auth from the win2000 dc , acually it was only used to create a certificate for isa to publish exchange.
1- is there any impact on the Domain after I removed the CA auth?
2- what things I should also do to clean-up after removal of the enterprise ca in the domain, specially if I want to install a new one later in case I need it?
3-later I want to setup a VPN based on radius and Certificates, is it nessesery to have enterprise CA auth,or a standalone will also do?
4-what is the prefered location of enterprise CA installation, meaning, should I install on DC or can it be located with exchange (domain Member)?

with regards

jordi
0
jordi67
Asked:
jordi67
1 Solution
 
Redwulf__53Commented:
1 - If you are sure it was only used for OWA, there will be little impact. If certificates were also issued based on an Autoenrollment Policy, you will need to rebuild the PKI infrastructure immediately. You will need to create a new CA to issue a new certificate for OWA before the existing one expires.
2 - None under normal circumstances.
3 - A stand-alone CA will do, but users can only self-enroll for certificates if it is AD Integrated (=Enterprise).
4 - Preferred setup (from security standpoint) is to install the Root CA on a dedicated machine (member server), and a Subordinate CA on another member server. Then the root CA is taken offline and stored in a physically secure location, to ensure the integrity of the Private Key pair, and only put back online to renew its own certificate/subordinate CA certificates or when a new Subordinate CA is added to the infrastructure. Obviously if you only use a single certificate only for Server authentication (OWA), this would be overkill and a single Root CA on a secure machine in the network will suffice, but remember it will be a compromise.



0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now