• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 80
  • Last Modified:

Setup a 2nd CA for LDAP SSL

I have a 2003 server with a CA on it that is stopped. We will be decommissioning this server in the next 2 weeks or so.

I have a 2008R2 DC that I want to setup LDAP over SSL to our Sonicwall router for LDAP integration.

Per this article () you can just install an Enterprise Root CA on the 2008R2 DC and LDAPS will be enabled automatically.

However, my concern is if I already have a CA on the 2003 server, will it cause a conflict on the active directory network? or will they be completely seperate?

Also, another option I have since installing an Enterprise Root CA on a DC is not recommended is to create a certificate from the current CA on the 2003 server. However my concern is if I decommission that CA in 2 weeks, will that be a problem in using the certificate or does it not matter? Can I just setup another CA in 5 years to recreate the certificate when it expires?

I'm not that familiar with using Microsoft CAs so want to keep it as simple as possible and thus the above questions. Thanks.
0
RFVDB
Asked:
RFVDB
  • 3
  • 3
1 Solution
 
arnoldCommented:
You can use the CA to sign a certificate of a subordinate/issuing CA the problem will arise when the subordinate certificate comes close to expiring since the signing CA is no where to be found to renew it.

One option is to backup the current win2k3 and restore the CA within a VM that an the be kept off while the subordinate/issuing CA issues/signs any new certs. When the subordinate CA certificate is about to expire, you would fire up the VM CA, Renew the subordinate CA certificate and offline it again. It would be up to you whether to renew the subordinate using the existing or a new key.  The same applies when the VM ca needs renewing.
Remember to add the CA root and subordinate within the GPO publishing the two as a trusted root certificate.

Make sure have backup setups for the CAs including certificates.
http://technet.microsoft.com/en-us/library/cc779540(v=ws.10).aspx
0
 
RFVDBAuthor Commented:
Thanks.

Could we just:

1) Create a certificate with the current CA, decommission it, then in 5 years create a new CA and register the certificate?

or

2) Just create a 2nd CA right now on the DC in question or elsewhere for a more permanent solution, or will that conflict with another CA being on the network/domain?

Thanks.
0
 
arnoldCommented:
Backup up and restoring the CA data might be a better approach.

you could, but have to be aware of the concequences of continually adding/managing the CA.

Creating a VM CA that will be kept offline unless a subordinate CA certificate needs to be renewed is a choice that would maintain an active CA that can issue/renew certificates and will be trusted if the same key is used on the Root CA.

TWO non related CAs will mean that at the time of renewal the User will have two options to which the certificate signing request should be sent to.  If you are the only one who will be performing the thing you can do what you will, but will make it extremely complecated as well as it will prevent you from being able to revoke previously issued certificates.
I.e. you have a web site that uses/requires client certificates.  You issue those certificates to users, and then have to revoke it when their access is no longer authorized.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
RFVDBAuthor Commented:
Hi, the setup is really stupid simple and we won't be using the CA for anything else than LDAP SSL. Otherwise we'll be using third party certificates.

The current 2003 CA is sitting on a server that is a DC and an Exchange 2003 server :(. Thus I want to get rid of it. The 2003 CA is currently in a stopped state.

Should I just create the new CA on the 2008 DC since the 2003 will be decommissioned in the next week or two or will that cause conflicts on the network?
0
 
arnoldCommented:
If you have a single purpose, you might want to look at using openssl
you can configure it as a CA and issue self signed certificates without relying on a single system.
i.e. you can copy the private/public certificates etc.

http://www.openssl.org/related/binaries.html
0
 
RFVDBAuthor Commented:
One aspect of the Sonicwall requires a public certificate for LDAP over SSL (Anti-Spam plugin with LDAP integration). And only Thawte and Verisign certs are compatible.

I guess that's what I'll have to do for now - this link from Microsoft covers importing third part certificates for LDAP over SSL - http://support.microsoft.com/kb/321051

See any problem in doing this?
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now