Can I safely Remove our certificate authority in our Active Directory network?

Posted on 2008-11-04
Last Modified: 2012-05-05
We currently have a root ca setup on a 2003 std box.  I only used it for one self signed cert.  I noticed that it has given out certs to domain controllers.  If I remove ca from this server will this break anything?  I want to install ca on our 2003 enterprise server to take advantage of windows mobile device manager.  I want it to be the root ca instead of a subordinate that is why I want to remove it from one server.  Also what if I want to phase out one of these ca's, how could I do this without causing issues?


Question by:LSB-IT
    1 Comment
    LVL 31

    Accepted Solution

    How to decom a CA server properly from AD:
    How to move a CA to another server:

    Also, as a side note, you might want to reconsider not having a two tier infrastructure.  You may not need it now, but you might really want it later.  This makes things easier when dealing with multiple domains, migrating CA's, handling extra load, etc.  Keep the root offline - don't even join it to a domain, that way it is domain independent and will not be affected by whatever you do to your domain.  2003 or 2008 standard edition is fine for creating and enterprise root CA, for the issuing subordinate, use 2003 or 2008 enterprise edition.  

    Usually setting up the root in a VM environment helps cut the cost down a little bit, and you can configure a private network between the root and subordinate for pushing the CRL over - just create a script to publish the CRL 'certuti -crl' to run every 1/2 the CRL validity period specified in the CA console.  Then just map a drive to the sub CA and copy it over there, then have the sub CA copy that and its own CRL to the CRL distribution points.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now