Solved

RUNNING TWO ENTERPRISE ROOT CA'S ON THE SAME NETWORK

Posted on 2009-07-10
1
317 Views
Last Modified: 2012-05-07
Hello, I have an MS enterprise root CA that is about to expire. I have alot of VPN clients with certificates on this CA. Is it possible to run a parrallel MS enterprise root CA on another server on the domain and steadily migrate my clients over before the expiration date. Would this cause any issues I'm not aware of ?

Thanks in advance

Zack
0
Comment
Question by:DOCDGA
1 Comment
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24839945
Yes, it is possible.  If you were thinking of changing your PKI now would be the time to do it.  If you weren't, it is not necessary to set up a new root - you can renew the root certificate within the CA console or using certutil -renewcert and the old certs will still be valid.  You will have two CRLs to publish for a brief time during the overlap period, the new one will have a (1) at the end of the filename before the .crl extension.  

Remember to update your AIA location(s) with the new CA cert.  Also remember to make a fresh backup of your CA database, the new private key, and the first new CRL to store off-server (e.g. floppy or flash drive) locked up for emergency recovery.

Also note that all of the certs that were issued will all expire on or before the same time as the root.

If any of the certs were issued to your DC, you will need to reboot the DC for the new cert to go into use instead of the cached copy.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now