Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Moving AD Certificate Authority

Posted on 2009-06-30
6
Medium Priority
?
1,089 Views
Last Modified: 2012-05-07
I've previously posted a related question on this topic but haven't resolved things yet and in the meantime the issue has kind of morphed into something a little different.  So I'm going to try again.

Here's the CA setup as it exists now:

* Old-AD-RootCA (Win Server 2008 Std, moved from 2003 Std, not 100% successfully)
   -- Old Subordinate CA #1 (Win 2003 Std, Domain Controller)
   -- Old Subordinate CA #2 (Exchange 2003 server, not a domain controller)
* New-AD-RootCA (Win Server 2008 Std, not a d/c, healthy CA)

Yes I have 2 CAs in AD.  Bad.

The old CAs are working etc. even though the old root CA's templates are messed up and I don't know how to fix it.  The new CA is working, can issue new certificates.  Both the old CA and the new CA are in AD as Trusted Root Certification Authorities for the domain.

We don't need a complex PKI setup.  We're not using EFS.  A single-tier CA seems fine to me, although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server.  

OK, so what I want to do seems simple in concept but I don't know how to execute it seamlessly.  At the simplest level I want to revoke all current client & non-DC machine certificates that were issued by the old root CA, and have the clients & machines automatically obtain new certificates from the new CA as needed.  Presumably I also need to issue new certificates to domain controllers somehow.  BTW, AD GPO is set up for auto-enrollment in the default domain policy.

If I remove the old root CA from the Trusted Root Certificate Authorities in AD GPO, leaving only the new root CA, will the migration eventually take place on its own?  Can I speed it up by manually revoking the old certificates?  Do I do that before, or after, deleted the old CA from GPO?  Seems like I would need to have the old CA available for CRL to work correctly.

And how to I "retarget" a subordinate CA to the new root CA?  I have to revoke all the certificates the subordinates have issued too, right?

And what do I do about templates?  The whole template issue eludes me, and keep in mind templates are "broken" for the old root CA too.

Any advice will be greatly appreciated.  Thanks.  I know this is kind of a mess.
0
Comment
Question by:IT-Monkey-Dave
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24748990
>> the old root CA's templates are messed up
-- With standard edition you don't have template access, you need enterprise edition OS


>> although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server
-- Irrelevant.  You don't need to have a CA set up on your Exchange box.  
However, I do recommend having a 2nd tier CA set up so you can have the root offline, but have it on a less used box as you really don't want to share your exchange with anything else if you can help it.  Pick something running enterprise edition if possible so you can take advantage of templates and other things.  I recommended the root to be standard edition before because it does not need templates and such since its purpose is to manage the issuing Enterprise Subordinate CA.  If you are thinking of just upgrading the std to ent for the CA, either fresh install or let me know if you are going to inplace upgrade the edition as there is something special you need to do if you change the sku on a CA.


AD GPO does not make all certs autoenrolled - also make sure to check the templates' permissions to make sure read, enroll, autoenroll are selected.

Go ahead and remove root from GPO first.  Also, issue the templates from the CA MMC - certificate templates folder - all tasks - new template to issue - and assign the desired templates (is ok if still in use on other CA).  Then delete the templates from any of the old issuing CA servers in the CA MMC to 'unissue' (do not delete from Certificate Templates MMC or they will be actually deleted).  Makes it less confusing for autoenrollment to figure out where to go.

After all that, then start revoking.  If you are going to move any of the existing CA servers under the new root, this would be the time to do it.  You should revoke all certs issued under the previous subordinate CA servers, open CA MMC - properties of Revoked Certificates and extend the CRL lifetime to the expiration date of the CA cert, then issue one last CRL and copy that to the CDP locations.  Repeat on the root to revoke the sub CA certs.  You cannot revoke the root cert.

For your DC servers do this
certutil -dcinfo deletebad       ; this will clear out invalid certs that are now revoked
certutil -pulse        ; this will check for autoenrollment events to get new cert from new CA
then reboot the DC - this is required to start using the new certificate instead of the cached version of the old one.  Consider rolling reboots since these are DCs, just to be safe.

After DCs are back up, run certutil -pulse and/or reboot (note certutil is not on XP, need to get 2003 adminpak).  I would plan to just reboot everything, personally (send an email to your users to power down that night, when they come in they will get updated).

Don't plan to try to transfer the old CA over to the new root CA, there is no point to it.  You can uninstall cert services and reinstall it clean on the same if you with to reuse the box.  Here is a basic setup guide:
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx#BKMK_BS2

Don't worry about the online responder (OCSP) stuff in there.  Its pretty cool but it can wait if you really want to do that some day, and if you are a smaller company then it just isn't worth it in most cases.

Make sure to run a full backup of each machine including system state before doing any of this stuff, just in case.

Hopefully I answered all your questions, if not just let me know what you aren't sure about.

0
 
LVL 13

Author Comment

by:IT-Monkey-Dave
ID: 24749654
Some additional background info regarding Enterprise Edition & Standard Edition, and templates...
The domain was originally created using Windows 2000 Enterprise Edition.  I believe that's where the domain's original CA was, but am not positive.  Somewhere along the way the CA "migrated" (correctly or not) from Server 2000 Enterprise to Server 2003 Std and had worked ok that way for several years.
A few months ago I migrated the CA from the old 2003 server to 2008, apparently not entirely successfully.  Anyway I guess the point is Enterprise Edition was initially a factor, but isn't now.  There is currently no Enterprise Edition remaining of any release.  Only 2003 and 2008 Standard.
Does this mean there are templates associated with issued certificates, but no CA now that can manage the templates?  If I revoke all old certificates, whether or not they're associated with an old certificate authority that did or did not support templates, does the template issue become moot?
I must be dense (in fact I'm sure I am), do not get the ramifications of the templates issue.  And when I do a fresh Certicate Services install on a 2008 Server Std. Edition domain member server, certsrv shows there are 8 Certificate Templates under the new CA.  Are those coming from objects already in AD?
Thanks for your assistance and patience in helping me understand this.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24749961
>>does the template issue become moot?
Pretty much, yes.  Unless you want to use templates again.  All that takes is installing a CA on Ent ed. OS for 03 or 08 and then opening up Cert Tempaltes MMC (certtmpl.msc) when it opens it runs a quick check and if tempaltes are not there or are outdated will update them.   Also make sure your AD is at the highest functional level it can be so you can get the newest versions of certs (2000 = v1, 03 = v2, 08 = v3).  2003 is really the biggest improvement, 08 added some nice stuff but not nearly as dramatic a chance as from 2k.

Templates are convenient way to manage multiple types of certs.  If you just issue a couple basic types, there are a couple default types that you can use (user vs. machine pretty much) and you can use a request.inf file to be more specific than that if desired without using templates.  templates are just so much easier, and allow for autoenrollment of your custom templates.

>> Are those coming from objects already in AD?
yes.  as long as there is still a CA in AD then it will not wipe the templates - the last CA to be removed will clear those out.  since you already have a new root I believe it will still leave them behind even though is std ed.

>>Thanks for your assistance and patience in helping me understand this.
Anytime.  that's why I'm here.  I deal with PKI for a living, I might as well use the knowledge as best I can.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 13

Author Comment

by:IT-Monkey-Dave
ID: 24756322
"You should revoke all certs issued under the previous subordinate CA servers, open CA MMC - properties of Revoked Certificates and extend the CRL lifetime to the expiration date of the CA cert, then issue one last CRL"
Another dumb question.  Is the "CRL Lifetime" equal to the CRL publication interval?  For example if the base CRL is published weekly, its lifetime is 7 days.  You're saying publish a "final" base CRL with an interval period long enough to equal or exceed the issued certificate(s) with the farthest-out expiration date?  Or should the interval cover the root certificate's expiration date (which is far longer than any actual issued certs).
Once the above is done on a subordinate CA (all issued certs marked as revoked, new longer CRL Publication Interval set, final CRL published), when is it safe to decommission that sub CA?  Only after the old root CA has also gone through the same process?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24757855
>>Is the "CRL Lifetime" equal to the CRL publication interval?
yes.

The CRL can only be as long as the CA certificate's validity period - trying to do it for longer will truncate it to the expiration date.  You should do one from the root and the sub CA.

You can decom before or after revoking the sub from the root.
0
 
LVL 13

Author Closing Comment

by:IT-Monkey-Dave
ID: 31598459
I've had to extrapolate from your response to fit our exact situation.  However your input has been a huge help and I'm finally seeing a clear path to getting this resolved once and for all.  Thanks.

'Course that's not to say I won't ever post again on this topic.  lol.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question