Can I safely Remove our certificate authority in our Active Directory network?

We currently have a root ca setup on a 2003 std box.  I only used it for one self signed cert.  I noticed that it has given out certs to domain controllers.  If I remove ca from this server will this break anything?  I want to install ca on our 2003 enterprise server to take advantage of windows mobile device manager.  I want it to be the root ca instead of a subordinate that is why I want to remove it from one server.  Also what if I want to phase out one of these ca's, how could I do this without causing issues?


Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
How to decom a CA server properly from AD:
How to move a CA to another server:

Also, as a side note, you might want to reconsider not having a two tier infrastructure.  You may not need it now, but you might really want it later.  This makes things easier when dealing with multiple domains, migrating CA's, handling extra load, etc.  Keep the root offline - don't even join it to a domain, that way it is domain independent and will not be affected by whatever you do to your domain.  2003 or 2008 standard edition is fine for creating and enterprise root CA, for the issuing subordinate, use 2003 or 2008 enterprise edition.  

Usually setting up the root in a VM environment helps cut the cost down a little bit, and you can configure a private network between the root and subordinate for pushing the CRL over - just create a script to publish the CRL 'certuti -crl' to run every 1/2 the CRL validity period specified in the CA console.  Then just map a drive to the sub CA and copy it over there, then have the sub CA copy that and its own CRL to the CRL distribution points.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.