Moving AD Certificate Authority

Posted on 2009-06-30
Medium Priority
Last Modified: 2012-05-07
I've previously posted a related question on this topic but haven't resolved things yet and in the meantime the issue has kind of morphed into something a little different.  So I'm going to try again.

Here's the CA setup as it exists now:

* Old-AD-RootCA (Win Server 2008 Std, moved from 2003 Std, not 100% successfully)
   -- Old Subordinate CA #1 (Win 2003 Std, Domain Controller)
   -- Old Subordinate CA #2 (Exchange 2003 server, not a domain controller)
* New-AD-RootCA (Win Server 2008 Std, not a d/c, healthy CA)

Yes I have 2 CAs in AD.  Bad.

The old CAs are working etc. even though the old root CA's templates are messed up and I don't know how to fix it.  The new CA is working, can issue new certificates.  Both the old CA and the new CA are in AD as Trusted Root Certification Authorities for the domain.

We don't need a complex PKI setup.  We're not using EFS.  A single-tier CA seems fine to me, although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server.  

OK, so what I want to do seems simple in concept but I don't know how to execute it seamlessly.  At the simplest level I want to revoke all current client & non-DC machine certificates that were issued by the old root CA, and have the clients & machines automatically obtain new certificates from the new CA as needed.  Presumably I also need to issue new certificates to domain controllers somehow.  BTW, AD GPO is set up for auto-enrollment in the default domain policy.

If I remove the old root CA from the Trusted Root Certificate Authorities in AD GPO, leaving only the new root CA, will the migration eventually take place on its own?  Can I speed it up by manually revoking the old certificates?  Do I do that before, or after, deleted the old CA from GPO?  Seems like I would need to have the old CA available for CRL to work correctly.

And how to I "retarget" a subordinate CA to the new root CA?  I have to revoke all the certificates the subordinates have issued too, right?

And what do I do about templates?  The whole template issue eludes me, and keep in mind templates are "broken" for the old root CA too.

Any advice will be greatly appreciated.  Thanks.  I know this is kind of a mess.
Question by:IT-Monkey-Dave
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 24748990
>> the old root CA's templates are messed up
-- With standard edition you don't have template access, you need enterprise edition OS

>> although I may need the Exchange server as a subordinate to the new CA because of Outlook Web Access via ISA server
-- Irrelevant.  You don't need to have a CA set up on your Exchange box.  
However, I do recommend having a 2nd tier CA set up so you can have the root offline, but have it on a less used box as you really don't want to share your exchange with anything else if you can help it.  Pick something running enterprise edition if possible so you can take advantage of templates and other things.  I recommended the root to be standard edition before because it does not need templates and such since its purpose is to manage the issuing Enterprise Subordinate CA.  If you are thinking of just upgrading the std to ent for the CA, either fresh install or let me know if you are going to inplace upgrade the edition as there is something special you need to do if you change the sku on a CA.

AD GPO does not make all certs autoenrolled - also make sure to check the templates' permissions to make sure read, enroll, autoenroll are selected.

Go ahead and remove root from GPO first.  Also, issue the templates from the CA MMC - certificate templates folder - all tasks - new template to issue - and assign the desired templates (is ok if still in use on other CA).  Then delete the templates from any of the old issuing CA servers in the CA MMC to 'unissue' (do not delete from Certificate Templates MMC or they will be actually deleted).  Makes it less confusing for autoenrollment to figure out where to go.

After all that, then start revoking.  If you are going to move any of the existing CA servers under the new root, this would be the time to do it.  You should revoke all certs issued under the previous subordinate CA servers, open CA MMC - properties of Revoked Certificates and extend the CRL lifetime to the expiration date of the CA cert, then issue one last CRL and copy that to the CDP locations.  Repeat on the root to revoke the sub CA certs.  You cannot revoke the root cert.

For your DC servers do this
certutil -dcinfo deletebad       ; this will clear out invalid certs that are now revoked
certutil -pulse        ; this will check for autoenrollment events to get new cert from new CA
then reboot the DC - this is required to start using the new certificate instead of the cached version of the old one.  Consider rolling reboots since these are DCs, just to be safe.

After DCs are back up, run certutil -pulse and/or reboot (note certutil is not on XP, need to get 2003 adminpak).  I would plan to just reboot everything, personally (send an email to your users to power down that night, when they come in they will get updated).

Don't plan to try to transfer the old CA over to the new root CA, there is no point to it.  You can uninstall cert services and reinstall it clean on the same if you with to reuse the box.  Here is a basic setup guide:

Don't worry about the online responder (OCSP) stuff in there.  Its pretty cool but it can wait if you really want to do that some day, and if you are a smaller company then it just isn't worth it in most cases.

Make sure to run a full backup of each machine including system state before doing any of this stuff, just in case.

Hopefully I answered all your questions, if not just let me know what you aren't sure about.

LVL 13

Author Comment

ID: 24749654
Some additional background info regarding Enterprise Edition & Standard Edition, and templates...
The domain was originally created using Windows 2000 Enterprise Edition.  I believe that's where the domain's original CA was, but am not positive.  Somewhere along the way the CA "migrated" (correctly or not) from Server 2000 Enterprise to Server 2003 Std and had worked ok that way for several years.
A few months ago I migrated the CA from the old 2003 server to 2008, apparently not entirely successfully.  Anyway I guess the point is Enterprise Edition was initially a factor, but isn't now.  There is currently no Enterprise Edition remaining of any release.  Only 2003 and 2008 Standard.
Does this mean there are templates associated with issued certificates, but no CA now that can manage the templates?  If I revoke all old certificates, whether or not they're associated with an old certificate authority that did or did not support templates, does the template issue become moot?
I must be dense (in fact I'm sure I am), do not get the ramifications of the templates issue.  And when I do a fresh Certicate Services install on a 2008 Server Std. Edition domain member server, certsrv shows there are 8 Certificate Templates under the new CA.  Are those coming from objects already in AD?
Thanks for your assistance and patience in helping me understand this.
LVL 31

Expert Comment

ID: 24749961
>>does the template issue become moot?
Pretty much, yes.  Unless you want to use templates again.  All that takes is installing a CA on Ent ed. OS for 03 or 08 and then opening up Cert Tempaltes MMC (certtmpl.msc) when it opens it runs a quick check and if tempaltes are not there or are outdated will update them.   Also make sure your AD is at the highest functional level it can be so you can get the newest versions of certs (2000 = v1, 03 = v2, 08 = v3).  2003 is really the biggest improvement, 08 added some nice stuff but not nearly as dramatic a chance as from 2k.

Templates are convenient way to manage multiple types of certs.  If you just issue a couple basic types, there are a couple default types that you can use (user vs. machine pretty much) and you can use a request.inf file to be more specific than that if desired without using templates.  templates are just so much easier, and allow for autoenrollment of your custom templates.

>> Are those coming from objects already in AD?
yes.  as long as there is still a CA in AD then it will not wipe the templates - the last CA to be removed will clear those out.  since you already have a new root I believe it will still leave them behind even though is std ed.

>>Thanks for your assistance and patience in helping me understand this.
Anytime.  that's why I'm here.  I deal with PKI for a living, I might as well use the knowledge as best I can.
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 13

Author Comment

ID: 24756322
"You should revoke all certs issued under the previous subordinate CA servers, open CA MMC - properties of Revoked Certificates and extend the CRL lifetime to the expiration date of the CA cert, then issue one last CRL"
Another dumb question.  Is the "CRL Lifetime" equal to the CRL publication interval?  For example if the base CRL is published weekly, its lifetime is 7 days.  You're saying publish a "final" base CRL with an interval period long enough to equal or exceed the issued certificate(s) with the farthest-out expiration date?  Or should the interval cover the root certificate's expiration date (which is far longer than any actual issued certs).
Once the above is done on a subordinate CA (all issued certs marked as revoked, new longer CRL Publication Interval set, final CRL published), when is it safe to decommission that sub CA?  Only after the old root CA has also gone through the same process?
LVL 31

Expert Comment

ID: 24757855
>>Is the "CRL Lifetime" equal to the CRL publication interval?

The CRL can only be as long as the CA certificate's validity period - trying to do it for longer will truncate it to the expiration date.  You should do one from the root and the sub CA.

You can decom before or after revoking the sub from the root.
LVL 13

Author Closing Comment

ID: 31598459
I've had to extrapolate from your response to fit our exact situation.  However your input has been a huge help and I'm finally seeing a clear path to getting this resolved once and for all.  Thanks.

'Course that's not to say I won't ever post again on this topic.  lol.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question