Solved

RUNNING TWO ENTERPRISE ROOT CA'S ON THE SAME NETWORK

Posted on 2009-07-10
1
326 Views
Last Modified: 2012-05-07
Hello, I have an MS enterprise root CA that is about to expire. I have alot of VPN clients with certificates on this CA. Is it possible to run a parrallel MS enterprise root CA on another server on the domain and steadily migrate my clients over before the expiration date. Would this cause any issues I'm not aware of ?

Thanks in advance

Zack
0
Comment
Question by:DOCDGA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24839945
Yes, it is possible.  If you were thinking of changing your PKI now would be the time to do it.  If you weren't, it is not necessary to set up a new root - you can renew the root certificate within the CA console or using certutil -renewcert and the old certs will still be valid.  You will have two CRLs to publish for a brief time during the overlap period, the new one will have a (1) at the end of the filename before the .crl extension.  

Remember to update your AIA location(s) with the new CA cert.  Also remember to make a fresh backup of your CA database, the new private key, and the first new CRL to store off-server (e.g. floppy or flash drive) locked up for emergency recovery.

Also note that all of the certs that were issued will all expire on or before the same time as the root.

If any of the certs were issued to your DC, you will need to reboot the DC for the new cert to go into use instead of the cached copy.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question