Moving AD Certificate Authority
Posted on 2009-06-30
I've previously posted a related question on this topic but haven't resolved things yet and in the meantime the issue has kind of morphed into something a little different. So I'm going to try again.
Here's the CA setup as it exists now:
* Old-AD-RootCA (Win Server 2008 Std, moved from 2003 Std, not 100% successfully)
-- Old Subordinate CA #1 (Win 2003 Std, Domain Controller)
-- Old Subordinate CA #2 (Exchange 2003 server, not a domain controller)
* New-AD-RootCA (Win Server 2008 Std, not a d/c, healthy CA)
Yes I have 2 CAs in AD. Bad.
The old CAs are working etc. even though the old root CA's templates are messed up and I don't know how to fix it. The new CA is working, can issue new certificates. Both the old CA and the new CA are in AD as Trusted Root Certification Authorities for the domain.
We don't need a complex PKI setup. We're not using EFS. A single-tier CA seems fine to me, although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server.
OK, so what I want to do seems simple in concept but I don't know how to execute it seamlessly. At the simplest level I want to revoke all current client & non-DC machine certificates that were issued by the old root CA, and have the clients & machines automatically obtain new certificates from the new CA as needed. Presumably I also need to issue new certificates to domain controllers somehow. BTW, AD GPO is set up for auto-enrollment in the default domain policy.
If I remove the old root CA from the Trusted Root Certificate Authorities in AD GPO, leaving only the new root CA, will the migration eventually take place on its own? Can I speed it up by manually revoking the old certificates? Do I do that before, or after, deleted the old CA from GPO? Seems like I would need to have the old CA available for CRL to work correctly.
And how to I "retarget" a subordinate CA to the new root CA? I have to revoke all the certificates the subordinates have issued too, right?
And what do I do about templates? The whole template issue eludes me, and keep in mind templates are "broken" for the old root CA too.
Any advice will be greatly appreciated. Thanks. I know this is kind of a mess.