Solved

RUNNING TWO ENTERPRISE ROOT CA'S ON THE SAME NETWORK

Posted on 2009-07-10
1
324 Views
Last Modified: 2012-05-07
Hello, I have an MS enterprise root CA that is about to expire. I have alot of VPN clients with certificates on this CA. Is it possible to run a parrallel MS enterprise root CA on another server on the domain and steadily migrate my clients over before the expiration date. Would this cause any issues I'm not aware of ?

Thanks in advance

Zack
0
Comment
Question by:DOCDGA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24839945
Yes, it is possible.  If you were thinking of changing your PKI now would be the time to do it.  If you weren't, it is not necessary to set up a new root - you can renew the root certificate within the CA console or using certutil -renewcert and the old certs will still be valid.  You will have two CRLs to publish for a brief time during the overlap period, the new one will have a (1) at the end of the filename before the .crl extension.  

Remember to update your AIA location(s) with the new CA cert.  Also remember to make a fresh backup of your CA database, the new private key, and the first new CRL to store off-server (e.g. floppy or flash drive) locked up for emergency recovery.

Also note that all of the certs that were issued will all expire on or before the same time as the root.

If any of the certs were issued to your DC, you will need to reboot the DC for the new cert to go into use instead of the cached copy.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question