Solved

Can I move the certificate authority to a new server without renaming the server?

Posted on 2007-11-25
5
1,155 Views
Last Modified: 2010-05-18
I am running a windows 2003 domain. I have 1 windows 2003 member server, 1 windows 2003 domain controller and 1 windows 2003 server running exchange 2003 also a member server;  OWA and RPC over https is configured on exchange server; I am using a certificate authority which is running on member server; the certificates for OWA and RPC are issued by the certificate authority.

I need to accomplish two things;
1.  Move the certificate authority to the exchange server
2.  Promote the member server to a domain controller
What impact will this have on the certificates already issued by the certificate authority? Can I move the certificate authority to a new server without renaming the server? I want to minimize the impact this has on remote users, especially those using RPC over https.
0
Comment
Question by:jforville
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20349944
This is my understanding of the situation:

If you 'move' the CA to a new computer, it effectively becomes a new CA, and the 'old' CA is now offline permanently. There is no chain of trust from the certificate to the CA that signed it.
0
 

Author Comment

by:jforville
ID: 20350426
For clarification, are you saying that certificates already issued will not be affected if I blow away the current certificate authority and setup a new certificate authority on a new box?  
0
 
LVL 2

Accepted Solution

by:
Vegaskid1973 earned 500 total points
ID: 20350721
No, if you take the CA offline and its a standalone CA, your already issued certificates will not be able to confirm its identity, as its now got a new name. It also depends on what you use certificates for. My knowledge of certificates has been nothing more than academic for 3 years since I last had hands on experience, so excuse my vagueness! ;-)

CA's work by using a chain of trust. Issued certificates trust the issuer. In a hierarchy, issuing CAs trust intermediate CAs, which in turn trust a master CA, which is quite often turned offline for security purposes. If you only have the one CA, and for example you use certificates for remote access, how can the remote access server validate the certificate if the issuing CA is not there anymore?

Hope this is a bit clearer.

0
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20350739
If you have many certificates already issued out there, I would consider an interim period where both CAs are active, independently of each other. Prevent the old CA from issuing new certs, and think of a quick and painless method for getting new certs issued from the new CA to replace the old ones...perhaps a combination of auto-enrollment and group policy?
0
 

Author Comment

by:jforville
ID: 20790705
We will be moving forward with removing the CA on the current server, setting up a new CA, and deploying new certificates to the users.

Thank you for your comments.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question