Moving AD Certificate Authority

I've previously posted a related question on this topic but haven't resolved things yet and in the meantime the issue has kind of morphed into something a little different.  So I'm going to try again.

Here's the CA setup as it exists now:

* Old-AD-RootCA (Win Server 2008 Std, moved from 2003 Std, not 100% successfully)
   -- Old Subordinate CA #1 (Win 2003 Std, Domain Controller)
   -- Old Subordinate CA #2 (Exchange 2003 server, not a domain controller)
* New-AD-RootCA (Win Server 2008 Std, not a d/c, healthy CA)

Yes I have 2 CAs in AD.  Bad.

The old CAs are working etc. even though the old root CA's templates are messed up and I don't know how to fix it.  The new CA is working, can issue new certificates.  Both the old CA and the new CA are in AD as Trusted Root Certification Authorities for the domain.

We don't need a complex PKI setup.  We're not using EFS.  A single-tier CA seems fine to me, although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server.  

OK, so what I want to do seems simple in concept but I don't know how to execute it seamlessly.  At the simplest level I want to revoke all current client & non-DC machine certificates that were issued by the old root CA, and have the clients & machines automatically obtain new certificates from the new CA as needed.  Presumably I also need to issue new certificates to domain controllers somehow.  BTW, AD GPO is set up for auto-enrollment in the default domain policy.

If I remove the old root CA from the Trusted Root Certificate Authorities in AD GPO, leaving only the new root CA, will the migration eventually take place on its own?  Can I speed it up by manually revoking the old certificates?  Do I do that before, or after, deleted the old CA from GPO?  Seems like I would need to have the old CA available for CRL to work correctly.

And how to I "retarget" a subordinate CA to the new root CA?  I have to revoke all the certificates the subordinates have issued too, right?

And what do I do about templates?  The whole template issue eludes me, and keep in mind templates are "broken" for the old root CA too.

Any advice will be greatly appreciated.  Thanks.  I know this is kind of a mess.
LVL 13
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
>> the old root CA's templates are messed up
-- With standard edition you don't have template access, you need enterprise edition OS

>> although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server
-- Irrelevant.  You don't need to have a CA set up on your Exchange box.  
However, I do recommend having a 2nd tier CA set up so you can have the root offline, but have it on a less used box as you really don't want to share your exchange with anything else if you can help it.  Pick something running enterprise edition if possible so you can take advantage of templates and other things.  I recommended the root to be standard edition before because it does not need templates and such since its purpose is to manage the issuing Enterprise Subordinate CA.  If you are thinking of just upgrading the std to ent for the CA, either fresh install or let me know if you are going to inplace upgrade the edition as there is something special you need to do if you change the sku on a CA.

AD GPO does not make all certs autoenrolled - also make sure to check the templates' permissions to make sure read, enroll, autoenroll are selected.

Go ahead and remove root from GPO first.  Also, issue the templates from the CA MMC - certificate templates folder - all tasks - new template to issue - and assign the desired templates (is ok if still in use on other CA).  Then delete the templates from any of the old issuing CA servers in the CA MMC to 'unissue' (do not delete from Certificate Templates MMC or they will be actually deleted).  Makes it less confusing for autoenrollment to figure out where to go.

After all that, then start revoking.  If you are going to move any of the existing CA servers under the new root, this would be the time to do it.  You should revoke all certs issued under the previous subordinate CA servers, open CA MMC - properties of Revoked Certificates and extend the CRL lifetime to the expiration date of the CA cert, then issue one last CRL and copy that to the CDP locations.  Repeat on the root to revoke the sub CA certs.  You cannot revoke the root cert.

For your DC servers do this
certutil -dcinfo deletebad       ; this will clear out invalid certs that are now revoked
certutil -pulse        ; this will check for autoenrollment events to get new cert from new CA
then reboot the DC - this is required to start using the new certificate instead of the cached version of the old one.  Consider rolling reboots since these are DCs, just to be safe.

After DCs are back up, run certutil -pulse and/or reboot (note certutil is not on XP, need to get 2003 adminpak).  I would plan to just reboot everything, personally (send an email to your users to power down that night, when they come in they will get updated).

Don't plan to try to transfer the old CA over to the new root CA, there is no point to it.  You can uninstall cert services and reinstall it clean on the same if you with to reuse the box.  Here is a basic setup guide:

Don't worry about the online responder (OCSP) stuff in there.  Its pretty cool but it can wait if you really want to do that some day, and if you are a smaller company then it just isn't worth it in most cases.

Make sure to run a full backup of each machine including system state before doing any of this stuff, just in case.

Hopefully I answered all your questions, if not just let me know what you aren't sure about.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT-Monkey-DaveAuthor Commented:
Some additional background info regarding Enterprise Edition & Standard Edition, and templates...
The domain was originally created using Windows 2000 Enterprise Edition.  I believe that's where the domain's original CA was, but am not positive.  Somewhere along the way the CA "migrated" (correctly or not) from Server 2000 Enterprise to Server 2003 Std and had worked ok that way for several years.
A few months ago I migrated the CA from the old 2003 server to 2008, apparently not entirely successfully.  Anyway I guess the point is Enterprise Edition was initially a factor, but isn't now.  There is currently no Enterprise Edition remaining of any release.  Only 2003 and 2008 Standard.
Does this mean there are templates associated with issued certificates, but no CA now that can manage the templates?  If I revoke all old certificates, whether or not they're associated with an old certificate authority that did or did not support templates, does the template issue become moot?
I must be dense (in fact I'm sure I am), do not get the ramifications of the templates issue.  And when I do a fresh Certicate Services install on a 2008 Server Std. Edition domain member server, certsrv shows there are 8 Certificate Templates under the new CA.  Are those coming from objects already in AD?
Thanks for your assistance and patience in helping me understand this.
ParanormasticCryptographic EngineerCommented:
>>does the template issue become moot?
Pretty much, yes.  Unless you want to use templates again.  All that takes is installing a CA on Ent ed. OS for 03 or 08 and then opening up Cert Tempaltes MMC (certtmpl.msc) when it opens it runs a quick check and if tempaltes are not there or are outdated will update them.   Also make sure your AD is at the highest functional level it can be so you can get the newest versions of certs (2000 = v1, 03 = v2, 08 = v3).  2003 is really the biggest improvement, 08 added some nice stuff but not nearly as dramatic a chance as from 2k.

Templates are convenient way to manage multiple types of certs.  If you just issue a couple basic types, there are a couple default types that you can use (user vs. machine pretty much) and you can use a request.inf file to be more specific than that if desired without using templates.  templates are just so much easier, and allow for autoenrollment of your custom templates.

>> Are those coming from objects already in AD?
yes.  as long as there is still a CA in AD then it will not wipe the templates - the last CA to be removed will clear those out.  since you already have a new root I believe it will still leave them behind even though is std ed.

>>Thanks for your assistance and patience in helping me understand this.
Anytime.  that's why I'm here.  I deal with PKI for a living, I might as well use the knowledge as best I can.
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

IT-Monkey-DaveAuthor Commented:
"You should revoke all certs issued under the previous subordinate CA servers, open CA MMC - properties of Revoked Certificates and extend the CRL lifetime to the expiration date of the CA cert, then issue one last CRL"
Another dumb question.  Is the "CRL Lifetime" equal to the CRL publication interval?  For example if the base CRL is published weekly, its lifetime is 7 days.  You're saying publish a "final" base CRL with an interval period long enough to equal or exceed the issued certificate(s) with the farthest-out expiration date?  Or should the interval cover the root certificate's expiration date (which is far longer than any actual issued certs).
Once the above is done on a subordinate CA (all issued certs marked as revoked, new longer CRL Publication Interval set, final CRL published), when is it safe to decommission that sub CA?  Only after the old root CA has also gone through the same process?
ParanormasticCryptographic EngineerCommented:
>>Is the "CRL Lifetime" equal to the CRL publication interval?

The CRL can only be as long as the CA certificate's validity period - trying to do it for longer will truncate it to the expiration date.  You should do one from the root and the sub CA.

You can decom before or after revoking the sub from the root.
IT-Monkey-DaveAuthor Commented:
I've had to extrapolate from your response to fit our exact situation.  However your input has been a huge help and I'm finally seeing a clear path to getting this resolved once and for all.  Thanks.

'Course that's not to say I won't ever post again on this topic.  lol.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.