Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What to bring down Current Root CA in Active Directory

Posted on 2011-09-26
4
Medium Priority
?
277 Views
Last Modified: 2012-05-12
Hello,

Here is the scenerio....

We have a Microsoft CA running in the environment to run in conjuction with Exchange 2007, Outlook 2007 clients, as well as Office Communicator 2007. Due to naming and multiple role on the same server, I would like to delete the current CA from the AD Domain and start fresh with new a new server, name convention etc..The current setup for the CA is one server performing all CA services. For security reasons I want to seperate and delegate, I am aware of the process of deleting, and revoking such services, but. My first concern is Exchange 2007 and the Outlook client currently using the certs issued to them by the exsiting CA just for client server communications. I guess my question is, Can we delte the current CA server without revoking the certificate for Exchange/Outlook? And bring the new PKI infrastructure online and issue new certs and revoke and delete the old cert post deployment. How is this going to affect client server communication? OWA is not an issue we currently utilizing a mail security appliance that handles the third party cert for OWA. The appliance "tunnels" to OWA so there is no Forms Based Authentication setup at all.  I have googled but getting the right wording and getting results that are relevant is a challange. Any help is very much appreciated
0
Comment
Question by:brettschwartzunibank
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
e_aravind earned 2000 total points
ID: 36711405
well, if you are planning to delete and recreate the new CA  @ your infrastructure...go ahead and proceed with the same.

1. Exchange for the autodicsover,EWS needs a certificate
If this cert is from the local CA (not the self-signed one generated by exchange) ...then you may need to re-request for the Cert. again then....submit this request to the new Certification Authority which is going to come-up

2. For all the domain-joined machines with Outlook
The root-CA from the new-CA server will be pushed via the GPO
So no need to worry about the cert. trusting for the Outlook (after 1 day)
IMO, we may need the client-machines to log-off and log-on...else, you may need to restart the client machine to get the new cert.

>> If you are using the mails\message encryption using the old. cert then you need to be very careful in removing the old entries from the client machine...else you can have another bunch of un-related certs. @ the client and exchange-cert. (clean-up is not a mandatory!)
0
 

Author Comment

by:brettschwartzunibank
ID: 36716782
In number 2 when you say GPO, you are referring to AutoEnroll correct......?

And I can safely assume that bringing down the old and coming up with the new is not going to break or ceace operations client/server?

Thanks,


0
 
LVL 26

Expert Comment

by:e_aravind
ID: 36718547
Yes the default AutoEnrollement which pushes the current-CA's root certificate to all of the domain-joined client machines.

The only challenge would be @ the non-domain joined machines...which would start showing-up the cert. warnings.
0
 

Author Closing Comment

by:brettschwartzunibank
ID: 36718722
Thank you
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question