mbromb
asked on
Windows Certificate Authority move from 2003 to 2008
I'm migrating our older windows 2003 DCs to our new 2008. i want to bring up a new CA on one of the new 2008 DCs, and noticed that 2 of the older ones are CAs. I'm having trouble determining the type of CAs they are, Enterprise/Stand-alone/roo
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Paranormastic
If there are 2 CAs then look at each on the server by opening certsrv.msc (Certification Authority MMC), expand CAName - select Certificate Templates - this will tell you what templates are being used, you can usually tell by the name what they are for. After checking that, then select Issued Certificates and see if there are a lot of certificates or not, if there are not too many then just look. If there are a lot, try applying a filter to search after 1 year ago to get a better feel and sort by template name. If there are still a lot, let me know and I can show you how to query by template.
ASKER
results:
CAType REG_DWORD = 3
ENUM_STANDALONE_ROOTCA -- 3
So, it looks like they're both stand-alone roots. I'm not sure why my predecessor would have done that rather than a Enterprise root and subordinate.
There are a bunch of templates, but each only has a single issued cert to the computer's own account of template type CA Exchange . They are both Effective date 3/31/10 - Expiration 4/7/10. Are these their own renewed private keys for issuing certs?
CAType REG_DWORD = 3
ENUM_STANDALONE_ROOTCA -- 3
So, it looks like they're both stand-alone roots. I'm not sure why my predecessor would have done that rather than a Enterprise root and subordinate.
There are a bunch of templates, but each only has a single issued cert to the computer's own account of template type CA Exchange . They are both Effective date 3/31/10 - Expiration 4/7/10. Are these their own renewed private keys for issuing certs?
>>Are these their own renewed private keys for issuing certs?
Pretty much. CAExchange certs are used to encrypt the session for archiving private encryption keys. They are internal to the CA issuance process, yes.
The old admin was probably trying to do something he didn't know how to do properly - maybe 2 different people or they forgot they did it once before. Having a standalone root is a good thing if it is offline (which all roots should be, really), then have a 2nd CA that is online as an enterprise subordinate CA.
Pretty much. CAExchange certs are used to encrypt the session for archiving private encryption keys. They are internal to the CA issuance process, yes.
The old admin was probably trying to do something he didn't know how to do properly - maybe 2 different people or they forgot they did it once before. Having a standalone root is a good thing if it is offline (which all roots should be, really), then have a 2nd CA that is online as an enterprise subordinate CA.
ASKER
Is it safe to say that these CAs are unused and can be removed? I would then install an Ent. root CA on the 2008 DC? We have a secure internal network, so I wouldn't be too concerned about it staying online, but I suppose I could keep the service down, and bring up a subordinate on another DC. My impression is that the wireless PEAP clients will need access to a live CA.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've upped the points
We don't have any 2008 Enterprise installations, including the DCs. I was going to put the CA on a DC so that there is never an issue of it disappearing. It's not a good idea because of the security issue of having it there, right? it's not about anything else? That's why I was asking if it would be acceptable to just disable the Certificate Services service to keep it "offline". It may be possible to put it on another server that is used for other utilities and system admin stuff.
Sorry, i'm a little confused, and i should do some more reading to get the bigger picture. I was trying to expedite because I have enough reading/research to do at the moment. Some further questions:
In lieu of doing what you suggest, "the root should be an offline standalone CA on standard edition OS with the issuing CA being an enterprise subordinate.", would this work, on 2008 Standard, install a single CA as a standalone root? Or would an Enterprise Root be necessary since there would be only one CA?
The Enterprise Subordinate you suggest is so there is integration with AD and so the root is unavailable for security reasons? Does the issueing CA need to be an Enterprise CA?
For a 2008 CA, it seems that i should avoid using the CNG CSPs, those with # in the name? It seems that some PEAP clients have issues with it, and there maybe other issues.
I intend to bring up a new CA depending on the outcome of this thread, and then when decommissioning the CAs that are in place on the 2003 servers, just shut them down for a week to make sure there are no issues. Then bring them up for decom.
thanks for the article!
We don't have any 2008 Enterprise installations, including the DCs. I was going to put the CA on a DC so that there is never an issue of it disappearing. It's not a good idea because of the security issue of having it there, right? it's not about anything else? That's why I was asking if it would be acceptable to just disable the Certificate Services service to keep it "offline". It may be possible to put it on another server that is used for other utilities and system admin stuff.
Sorry, i'm a little confused, and i should do some more reading to get the bigger picture. I was trying to expedite because I have enough reading/research to do at the moment. Some further questions:
In lieu of doing what you suggest, "the root should be an offline standalone CA on standard edition OS with the issuing CA being an enterprise subordinate.", would this work, on 2008 Standard, install a single CA as a standalone root? Or would an Enterprise Root be necessary since there would be only one CA?
The Enterprise Subordinate you suggest is so there is integration with AD and so the root is unavailable for security reasons? Does the issueing CA need to be an Enterprise CA?
For a 2008 CA, it seems that i should avoid using the CNG CSPs, those with # in the name? It seems that some PEAP clients have issues with it, and there maybe other issues.
I intend to bring up a new CA depending on the outcome of this thread, and then when decommissioning the CAs that are in place on the 2003 servers, just shut them down for a week to make sure there are no issues. Then bring them up for decom.
thanks for the article!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, the 'enterprise' makes it so it is AD integrated during installation - you will need enterprise admin rights to install. Stand-alone is usually used for offline CAs and also for CAs that are issuing certs only outside of the internal network.
If you need install guides, you can use these from my new site for guidelines to get started:
http://www.pki101.com/InstallRootCA_2008.html
http://www.pki101.com/InstallSubordinateCA_2008.html
If you need install guides, you can use these from my new site for guidelines to get started:
http://www.pki101.com/InstallRootCA_2008.html
http://www.pki101.com/InstallSubordinateCA_2008.html
ASKER
ok. Good info!
For Exchange I'll need to produce SAN or UCC certs. Can that be done with a Ent. Root CA on 2008 standard? We have no 2008 Ent installations.
For Exchange I'll need to produce SAN or UCC certs. Can that be done with a Ent. Root CA on 2008 standard? We have no 2008 Ent installations.
ASKER
An MS article: http://support.microsoft.com/kb/931351
Indicates that a standalone can be used to issue Exchange 2007 SAN certs, and that templates are not necessary.
This excerpt I've seen in multiple articles. It's not clear to me if the command does work on a template, or if it works on any CA.
----------------------
By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALT
net stop certsvc
net start certsvc
----------------------
Indicates that a standalone can be used to issue Exchange 2007 SAN certs, and that templates are not necessary.
This excerpt I've seen in multiple articles. It's not clear to me if the command does work on a template, or if it works on any CA.
----------------------
By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALT
net stop certsvc
net start certsvc
----------------------
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. I've been able to get some more research in and figure things out. It turns out that 2008 R2 Standard includes the V2 and V3 templates and autoenrollmentwith an Ent. CA. So, i'll be going that route. thanks for all the info. it's been an education.
Matt
Matt
ASKER
Thanks for the education