Solved

Can I move the certificate authority to a new server without renaming the server?

Posted on 2007-11-25
5
1,152 Views
Last Modified: 2010-05-18
I am running a windows 2003 domain. I have 1 windows 2003 member server, 1 windows 2003 domain controller and 1 windows 2003 server running exchange 2003 also a member server;  OWA and RPC over https is configured on exchange server; I am using a certificate authority which is running on member server; the certificates for OWA and RPC are issued by the certificate authority.

I need to accomplish two things;
1.  Move the certificate authority to the exchange server
2.  Promote the member server to a domain controller
What impact will this have on the certificates already issued by the certificate authority? Can I move the certificate authority to a new server without renaming the server? I want to minimize the impact this has on remote users, especially those using RPC over https.
0
Comment
Question by:jforville
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20349944
This is my understanding of the situation:

If you 'move' the CA to a new computer, it effectively becomes a new CA, and the 'old' CA is now offline permanently. There is no chain of trust from the certificate to the CA that signed it.
0
 

Author Comment

by:jforville
ID: 20350426
For clarification, are you saying that certificates already issued will not be affected if I blow away the current certificate authority and setup a new certificate authority on a new box?  
0
 
LVL 2

Accepted Solution

by:
Vegaskid1973 earned 500 total points
ID: 20350721
No, if you take the CA offline and its a standalone CA, your already issued certificates will not be able to confirm its identity, as its now got a new name. It also depends on what you use certificates for. My knowledge of certificates has been nothing more than academic for 3 years since I last had hands on experience, so excuse my vagueness! ;-)

CA's work by using a chain of trust. Issued certificates trust the issuer. In a hierarchy, issuing CAs trust intermediate CAs, which in turn trust a master CA, which is quite often turned offline for security purposes. If you only have the one CA, and for example you use certificates for remote access, how can the remote access server validate the certificate if the issuing CA is not there anymore?

Hope this is a bit clearer.

0
 
LVL 2

Expert Comment

by:Vegaskid1973
ID: 20350739
If you have many certificates already issued out there, I would consider an interim period where both CAs are active, independently of each other. Prevent the old CA from issuing new certs, and think of a quick and painless method for getting new certs issued from the new CA to replace the old ones...perhaps a combination of auto-enrollment and group policy?
0
 

Author Comment

by:jforville
ID: 20790705
We will be moving forward with removing the CA on the current server, setting up a new CA, and deploying new certificates to the users.

Thank you for your comments.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now