?
Solved

RUNNING TWO ENTERPRISE ROOT CA'S ON THE SAME NETWORK

Posted on 2009-07-10
1
Medium Priority
?
327 Views
Last Modified: 2012-05-07
Hello, I have an MS enterprise root CA that is about to expire. I have alot of VPN clients with certificates on this CA. Is it possible to run a parrallel MS enterprise root CA on another server on the domain and steadily migrate my clients over before the expiration date. Would this cause any issues I'm not aware of ?

Thanks in advance

Zack
0
Comment
Question by:DOCDGA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24839945
Yes, it is possible.  If you were thinking of changing your PKI now would be the time to do it.  If you weren't, it is not necessary to set up a new root - you can renew the root certificate within the CA console or using certutil -renewcert and the old certs will still be valid.  You will have two CRLs to publish for a brief time during the overlap period, the new one will have a (1) at the end of the filename before the .crl extension.  

Remember to update your AIA location(s) with the new CA cert.  Also remember to make a fresh backup of your CA database, the new private key, and the first new CRL to store off-server (e.g. floppy or flash drive) locked up for emergency recovery.

Also note that all of the certs that were issued will all expire on or before the same time as the root.

If any of the certs were issued to your DC, you will need to reboot the DC for the new cert to go into use instead of the cached copy.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question