?
Solved

Can I move the certificate authority to a new server without renaming the server?

Posted on 2007-11-25
5
Medium Priority
?
1,162 Views
Last Modified: 2010-05-18
I am running a windows 2003 domain. I have 1 windows 2003 member server, 1 windows 2003 domain controller and 1 windows 2003 server running exchange 2003 also a member server;  OWA and RPC over https is configured on exchange server; I am using a certificate authority which is running on member server; the certificates for OWA and RPC are issued by the certificate authority.

I need to accomplish two things;
1.  Move the certificate authority to the exchange server
2.  Promote the member server to a domain controller
What impact will this have on the certificates already issued by the certificate authority? Can I move the certificate authority to a new server without renaming the server? I want to minimize the impact this has on remote users, especially those using RPC over https.
0
Comment
Question by:jforville
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20349944
This is my understanding of the situation:

If you 'move' the CA to a new computer, it effectively becomes a new CA, and the 'old' CA is now offline permanently. There is no chain of trust from the certificate to the CA that signed it.
0
 

Author Comment

by:jforville
ID: 20350426
For clarification, are you saying that certificates already issued will not be affected if I blow away the current certificate authority and setup a new certificate authority on a new box?  
0
 
LVL 2

Accepted Solution

by:
Vegaskid1973 earned 2000 total points
ID: 20350721
No, if you take the CA offline and its a standalone CA, your already issued certificates will not be able to confirm its identity, as its now got a new name. It also depends on what you use certificates for. My knowledge of certificates has been nothing more than academic for 3 years since I last had hands on experience, so excuse my vagueness! ;-)

CA's work by using a chain of trust. Issued certificates trust the issuer. In a hierarchy, issuing CAs trust intermediate CAs, which in turn trust a master CA, which is quite often turned offline for security purposes. If you only have the one CA, and for example you use certificates for remote access, how can the remote access server validate the certificate if the issuing CA is not there anymore?

Hope this is a bit clearer.

0
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20350739
If you have many certificates already issued out there, I would consider an interim period where both CAs are active, independently of each other. Prevent the old CA from issuing new certs, and think of a quick and painless method for getting new certs issued from the new CA to replace the old ones...perhaps a combination of auto-enrollment and group policy?
0
 

Author Comment

by:jforville
ID: 20790705
We will be moving forward with removing the CA on the current server, setting up a new CA, and deploying new certificates to the users.

Thank you for your comments.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses
Course of the Month8 days, 19 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question