Can I move the certificate authority to a new server without renaming the server?

I am running a windows 2003 domain. I have 1 windows 2003 member server, 1 windows 2003 domain controller and 1 windows 2003 server running exchange 2003 also a member server;  OWA and RPC over https is configured on exchange server; I am using a certificate authority which is running on member server; the certificates for OWA and RPC are issued by the certificate authority.

I need to accomplish two things;
1.  Move the certificate authority to the exchange server
2.  Promote the member server to a domain controller
What impact will this have on the certificates already issued by the certificate authority? Can I move the certificate authority to a new server without renaming the server? I want to minimize the impact this has on remote users, especially those using RPC over https.
jforvilleAsked:
Who is Participating?
 
Vegaskid1973Connect With a Mentor Commented:
No, if you take the CA offline and its a standalone CA, your already issued certificates will not be able to confirm its identity, as its now got a new name. It also depends on what you use certificates for. My knowledge of certificates has been nothing more than academic for 3 years since I last had hands on experience, so excuse my vagueness! ;-)

CA's work by using a chain of trust. Issued certificates trust the issuer. In a hierarchy, issuing CAs trust intermediate CAs, which in turn trust a master CA, which is quite often turned offline for security purposes. If you only have the one CA, and for example you use certificates for remote access, how can the remote access server validate the certificate if the issuing CA is not there anymore?

Hope this is a bit clearer.

0
 
Vegaskid1973Commented:
This is my understanding of the situation:

If you 'move' the CA to a new computer, it effectively becomes a new CA, and the 'old' CA is now offline permanently. There is no chain of trust from the certificate to the CA that signed it.
0
 
jforvilleAuthor Commented:
For clarification, are you saying that certificates already issued will not be affected if I blow away the current certificate authority and setup a new certificate authority on a new box?  
0
 
Vegaskid1973Commented:
If you have many certificates already issued out there, I would consider an interim period where both CAs are active, independently of each other. Prevent the old CA from issuing new certs, and think of a quick and painless method for getting new certs issued from the new CA to replace the old ones...perhaps a combination of auto-enrollment and group policy?
0
 
jforvilleAuthor Commented:
We will be moving forward with removing the CA on the current server, setting up a new CA, and deploying new certificates to the users.

Thank you for your comments.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.