[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Can I move the certificate authority to a new server without renaming the server?

Posted on 2007-11-25
5
Medium Priority
?
1,168 Views
Last Modified: 2010-05-18
I am running a windows 2003 domain. I have 1 windows 2003 member server, 1 windows 2003 domain controller and 1 windows 2003 server running exchange 2003 also a member server;  OWA and RPC over https is configured on exchange server; I am using a certificate authority which is running on member server; the certificates for OWA and RPC are issued by the certificate authority.

I need to accomplish two things;
1.  Move the certificate authority to the exchange server
2.  Promote the member server to a domain controller
What impact will this have on the certificates already issued by the certificate authority? Can I move the certificate authority to a new server without renaming the server? I want to minimize the impact this has on remote users, especially those using RPC over https.
0
Comment
Question by:jforville
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20349944
This is my understanding of the situation:

If you 'move' the CA to a new computer, it effectively becomes a new CA, and the 'old' CA is now offline permanently. There is no chain of trust from the certificate to the CA that signed it.
0
 

Author Comment

by:jforville
ID: 20350426
For clarification, are you saying that certificates already issued will not be affected if I blow away the current certificate authority and setup a new certificate authority on a new box?  
0
 
LVL 2

Accepted Solution

by:
Vegaskid1973 earned 2000 total points
ID: 20350721
No, if you take the CA offline and its a standalone CA, your already issued certificates will not be able to confirm its identity, as its now got a new name. It also depends on what you use certificates for. My knowledge of certificates has been nothing more than academic for 3 years since I last had hands on experience, so excuse my vagueness! ;-)

CA's work by using a chain of trust. Issued certificates trust the issuer. In a hierarchy, issuing CAs trust intermediate CAs, which in turn trust a master CA, which is quite often turned offline for security purposes. If you only have the one CA, and for example you use certificates for remote access, how can the remote access server validate the certificate if the issuing CA is not there anymore?

Hope this is a bit clearer.

0
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20350739
If you have many certificates already issued out there, I would consider an interim period where both CAs are active, independently of each other. Prevent the old CA from issuing new certs, and think of a quick and painless method for getting new certs issued from the new CA to replace the old ones...perhaps a combination of auto-enrollment and group policy?
0
 

Author Comment

by:jforville
ID: 20790705
We will be moving forward with removing the CA on the current server, setting up a new CA, and deploying new certificates to the users.

Thank you for your comments.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month18 days, 12 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question