Moving AD Certificate Authority
I've previously posted a related question on this topic but haven't resolved things yet and in the meantime the issue has kind of morphed into something a little different. So I'm going to try again.
Here's the CA setup as it exists now:
* Old-AD-RootCA (Win Server 2008 Std, moved from 2003 Std, not 100% successfully)
-- Old Subordinate CA #1 (Win 2003 Std, Domain Controller)
-- Old Subordinate CA #2 (Exchange 2003 server, not a domain controller)
* New-AD-RootCA (Win Server 2008 Std, not a d/c, healthy CA)
Yes I have 2 CAs in AD. Bad.
The old CAs are working etc. even though the old root CA's templates are messed up and I don't know how to fix it. The new CA is working, can issue new certificates. Both the old CA and the new CA are in AD as Trusted Root Certification Authorities for the domain.
We don't need a complex PKI setup. We're not using EFS. A single-tier CA seems fine to me, although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server.
OK, so what I want to do seems simple in concept but I don't know how to execute it seamlessly. At the simplest level I want to revoke all current client & non-DC machine certificates that were issued by the old root CA, and have the clients & machines automatically obtain new certificates from the new CA as needed. Presumably I also need to issue new certificates to domain controllers somehow. BTW, AD GPO is set up for auto-enrollment in the default domain policy.
If I remove the old root CA from the Trusted Root Certificate Authorities in AD GPO, leaving only the new root CA, will the migration eventually take place on its own? Can I speed it up by manually revoking the old certificates? Do I do that before, or after, deleted the old CA from GPO? Seems like I would need to have the old CA available for CRL to work correctly.
And how to I "retarget" a subordinate CA to the new root CA? I have to revoke all the certificates the subordinates have issued too, right?
And what do I do about templates? The whole template issue eludes me, and keep in mind templates are "broken" for the old root CA too.
Any advice will be greatly appreciated. Thanks. I know this is kind of a mess.
Here's the CA setup as it exists now:
* Old-AD-RootCA (Win Server 2008 Std, moved from 2003 Std, not 100% successfully)
-- Old Subordinate CA #1 (Win 2003 Std, Domain Controller)
-- Old Subordinate CA #2 (Exchange 2003 server, not a domain controller)
* New-AD-RootCA (Win Server 2008 Std, not a d/c, healthy CA)
Yes I have 2 CAs in AD. Bad.
The old CAs are working etc. even though the old root CA's templates are messed up and I don't know how to fix it. The new CA is working, can issue new certificates. Both the old CA and the new CA are in AD as Trusted Root Certification Authorities for the domain.
We don't need a complex PKI setup. We're not using EFS. A single-tier CA seems fine to me, although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server.
OK, so what I want to do seems simple in concept but I don't know how to execute it seamlessly. At the simplest level I want to revoke all current client & non-DC machine certificates that were issued by the old root CA, and have the clients & machines automatically obtain new certificates from the new CA as needed. Presumably I also need to issue new certificates to domain controllers somehow. BTW, AD GPO is set up for auto-enrollment in the default domain policy.
If I remove the old root CA from the Trusted Root Certificate Authorities in AD GPO, leaving only the new root CA, will the migration eventually take place on its own? Can I speed it up by manually revoking the old certificates? Do I do that before, or after, deleted the old CA from GPO? Seems like I would need to have the old CA available for CRL to work correctly.
And how to I "retarget" a subordinate CA to the new root CA? I have to revoke all the certificates the subordinates have issued too, right?
And what do I do about templates? The whole template issue eludes me, and keep in mind templates are "broken" for the old root CA too.
Any advice will be greatly appreciated. Thanks. I know this is kind of a mess.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>does the template issue become moot?
Pretty much, yes. Unless you want to use templates again. All that takes is installing a CA on Ent ed. OS for 03 or 08 and then opening up Cert Tempaltes MMC (certtmpl.msc) when it opens it runs a quick check and if tempaltes are not there or are outdated will update them. Also make sure your AD is at the highest functional level it can be so you can get the newest versions of certs (2000 = v1, 03 = v2, 08 = v3). 2003 is really the biggest improvement, 08 added some nice stuff but not nearly as dramatic a chance as from 2k.
Templates are convenient way to manage multiple types of certs. If you just issue a couple basic types, there are a couple default types that you can use (user vs. machine pretty much) and you can use a request.inf file to be more specific than that if desired without using templates. templates are just so much easier, and allow for autoenrollment of your custom templates.
>> Are those coming from objects already in AD?
yes. as long as there is still a CA in AD then it will not wipe the templates - the last CA to be removed will clear those out. since you already have a new root I believe it will still leave them behind even though is std ed.
>>Thanks for your assistance and patience in helping me understand this.
Anytime. that's why I'm here. I deal with PKI for a living, I might as well use the knowledge as best I can.
Pretty much, yes. Unless you want to use templates again. All that takes is installing a CA on Ent ed. OS for 03 or 08 and then opening up Cert Tempaltes MMC (certtmpl.msc) when it opens it runs a quick check and if tempaltes are not there or are outdated will update them. Also make sure your AD is at the highest functional level it can be so you can get the newest versions of certs (2000 = v1, 03 = v2, 08 = v3). 2003 is really the biggest improvement, 08 added some nice stuff but not nearly as dramatic a chance as from 2k.
Templates are convenient way to manage multiple types of certs. If you just issue a couple basic types, there are a couple default types that you can use (user vs. machine pretty much) and you can use a request.inf file to be more specific than that if desired without using templates. templates are just so much easier, and allow for autoenrollment of your custom templates.
>> Are those coming from objects already in AD?
yes. as long as there is still a CA in AD then it will not wipe the templates - the last CA to be removed will clear those out. since you already have a new root I believe it will still leave them behind even though is std ed.
>>Thanks for your assistance and patience in helping me understand this.
Anytime. that's why I'm here. I deal with PKI for a living, I might as well use the knowledge as best I can.
ASKER
"You should revoke all certs issued under the previous subordinate CA servers, open CA MMC - properties of Revoked Certificates and extend the CRL lifetime to the expiration date of the CA cert, then issue one last CRL"
Another dumb question. Is the "CRL Lifetime" equal to the CRL publication interval? For example if the base CRL is published weekly, its lifetime is 7 days. You're saying publish a "final" base CRL with an interval period long enough to equal or exceed the issued certificate(s) with the farthest-out expiration date? Or should the interval cover the root certificate's expiration date (which is far longer than any actual issued certs).
Once the above is done on a subordinate CA (all issued certs marked as revoked, new longer CRL Publication Interval set, final CRL published), when is it safe to decommission that sub CA? Only after the old root CA has also gone through the same process?
Another dumb question. Is the "CRL Lifetime" equal to the CRL publication interval? For example if the base CRL is published weekly, its lifetime is 7 days. You're saying publish a "final" base CRL with an interval period long enough to equal or exceed the issued certificate(s) with the farthest-out expiration date? Or should the interval cover the root certificate's expiration date (which is far longer than any actual issued certs).
Once the above is done on a subordinate CA (all issued certs marked as revoked, new longer CRL Publication Interval set, final CRL published), when is it safe to decommission that sub CA? Only after the old root CA has also gone through the same process?
>>Is the "CRL Lifetime" equal to the CRL publication interval?
yes.
The CRL can only be as long as the CA certificate's validity period - trying to do it for longer will truncate it to the expiration date. You should do one from the root and the sub CA.
You can decom before or after revoking the sub from the root.
yes.
The CRL can only be as long as the CA certificate's validity period - trying to do it for longer will truncate it to the expiration date. You should do one from the root and the sub CA.
You can decom before or after revoking the sub from the root.
ASKER
I've had to extrapolate from your response to fit our exact situation. However your input has been a huge help and I'm finally seeing a clear path to getting this resolved once and for all. Thanks.
'Course that's not to say I won't ever post again on this topic. lol.
'Course that's not to say I won't ever post again on this topic. lol.
ASKER
The domain was originally created using Windows 2000 Enterprise Edition. I believe that's where the domain's original CA was, but am not positive. Somewhere along the way the CA "migrated" (correctly or not) from Server 2000 Enterprise to Server 2003 Std and had worked ok that way for several years.
A few months ago I migrated the CA from the old 2003 server to 2008, apparently not entirely successfully. Anyway I guess the point is Enterprise Edition was initially a factor, but isn't now. There is currently no Enterprise Edition remaining of any release. Only 2003 and 2008 Standard.
Does this mean there are templates associated with issued certificates, but no CA now that can manage the templates? If I revoke all old certificates, whether or not they're associated with an old certificate authority that did or did not support templates, does the template issue become moot?
I must be dense (in fact I'm sure I am), do not get the ramifications of the templates issue. And when I do a fresh Certicate Services install on a 2008 Server Std. Edition domain member server, certsrv shows there are 8 Certificate Templates under the new CA. Are those coming from objects already in AD?
Thanks for your assistance and patience in helping me understand this.