Setup a 2nd CA for LDAP SSL

Posted on 2012-09-18
Last Modified: 2015-06-23
I have a 2003 server with a CA on it that is stopped. We will be decommissioning this server in the next 2 weeks or so.

I have a 2008R2 DC that I want to setup LDAP over SSL to our Sonicwall router for LDAP integration.

Per this article () you can just install an Enterprise Root CA on the 2008R2 DC and LDAPS will be enabled automatically.

However, my concern is if I already have a CA on the 2003 server, will it cause a conflict on the active directory network? or will they be completely seperate?

Also, another option I have since installing an Enterprise Root CA on a DC is not recommended is to create a certificate from the current CA on the 2003 server. However my concern is if I decommission that CA in 2 weeks, will that be a problem in using the certificate or does it not matter? Can I just setup another CA in 5 years to recreate the certificate when it expires?

I'm not that familiar with using Microsoft CAs so want to keep it as simple as possible and thus the above questions. Thanks.
Question by:RFVDB
    LVL 76

    Expert Comment

    You can use the CA to sign a certificate of a subordinate/issuing CA the problem will arise when the subordinate certificate comes close to expiring since the signing CA is no where to be found to renew it.

    One option is to backup the current win2k3 and restore the CA within a VM that an the be kept off while the subordinate/issuing CA issues/signs any new certs. When the subordinate CA certificate is about to expire, you would fire up the VM CA, Renew the subordinate CA certificate and offline it again. It would be up to you whether to renew the subordinate using the existing or a new key.  The same applies when the VM ca needs renewing.
    Remember to add the CA root and subordinate within the GPO publishing the two as a trusted root certificate.

    Make sure have backup setups for the CAs including certificates.

    Author Comment


    Could we just:

    1) Create a certificate with the current CA, decommission it, then in 5 years create a new CA and register the certificate?


    2) Just create a 2nd CA right now on the DC in question or elsewhere for a more permanent solution, or will that conflict with another CA being on the network/domain?

    LVL 76

    Expert Comment

    Backup up and restoring the CA data might be a better approach.

    you could, but have to be aware of the concequences of continually adding/managing the CA.

    Creating a VM CA that will be kept offline unless a subordinate CA certificate needs to be renewed is a choice that would maintain an active CA that can issue/renew certificates and will be trusted if the same key is used on the Root CA.

    TWO non related CAs will mean that at the time of renewal the User will have two options to which the certificate signing request should be sent to.  If you are the only one who will be performing the thing you can do what you will, but will make it extremely complecated as well as it will prevent you from being able to revoke previously issued certificates.
    I.e. you have a web site that uses/requires client certificates.  You issue those certificates to users, and then have to revoke it when their access is no longer authorized.

    Author Comment

    Hi, the setup is really stupid simple and we won't be using the CA for anything else than LDAP SSL. Otherwise we'll be using third party certificates.

    The current 2003 CA is sitting on a server that is a DC and an Exchange 2003 server :(. Thus I want to get rid of it. The 2003 CA is currently in a stopped state.

    Should I just create the new CA on the 2008 DC since the 2003 will be decommissioned in the next week or two or will that cause conflicts on the network?
    LVL 76

    Expert Comment

    If you have a single purpose, you might want to look at using openssl
    you can configure it as a CA and issue self signed certificates without relying on a single system.
    i.e. you can copy the private/public certificates etc.

    Accepted Solution

    One aspect of the Sonicwall requires a public certificate for LDAP over SSL (Anti-Spam plugin with LDAP integration). And only Thawte and Verisign certs are compatible.

    I guess that's what I'll have to do for now - this link from Microsoft covers importing third part certificates for LDAP over SSL -

    See any problem in doing this?
    LVL 34

    Expert Comment

    by:Seth Simmons
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now