Setup a 2nd CA for LDAP SSL

Posted on 2012-09-18
Medium Priority
Last Modified: 2015-06-23
I have a 2003 server with a CA on it that is stopped. We will be decommissioning this server in the next 2 weeks or so.

I have a 2008R2 DC that I want to setup LDAP over SSL to our Sonicwall router for LDAP integration.

Per this article () you can just install an Enterprise Root CA on the 2008R2 DC and LDAPS will be enabled automatically.

However, my concern is if I already have a CA on the 2003 server, will it cause a conflict on the active directory network? or will they be completely seperate?

Also, another option I have since installing an Enterprise Root CA on a DC is not recommended is to create a certificate from the current CA on the 2003 server. However my concern is if I decommission that CA in 2 weeks, will that be a problem in using the certificate or does it not matter? Can I just setup another CA in 5 years to recreate the certificate when it expires?

I'm not that familiar with using Microsoft CAs so want to keep it as simple as possible and thus the above questions. Thanks.
Question by:RFVDB
  • 3
  • 3
LVL 81

Expert Comment

ID: 38412204
You can use the CA to sign a certificate of a subordinate/issuing CA the problem will arise when the subordinate certificate comes close to expiring since the signing CA is no where to be found to renew it.

One option is to backup the current win2k3 and restore the CA within a VM that an the be kept off while the subordinate/issuing CA issues/signs any new certs. When the subordinate CA certificate is about to expire, you would fire up the VM CA, Renew the subordinate CA certificate and offline it again. It would be up to you whether to renew the subordinate using the existing or a new key.  The same applies when the VM ca needs renewing.
Remember to add the CA root and subordinate within the GPO publishing the two as a trusted root certificate.

Make sure have backup setups for the CAs including certificates.

Author Comment

ID: 38419998

Could we just:

1) Create a certificate with the current CA, decommission it, then in 5 years create a new CA and register the certificate?


2) Just create a 2nd CA right now on the DC in question or elsewhere for a more permanent solution, or will that conflict with another CA being on the network/domain?

LVL 81

Expert Comment

ID: 38420030
Backup up and restoring the CA data might be a better approach.

you could, but have to be aware of the concequences of continually adding/managing the CA.

Creating a VM CA that will be kept offline unless a subordinate CA certificate needs to be renewed is a choice that would maintain an active CA that can issue/renew certificates and will be trusted if the same key is used on the Root CA.

TWO non related CAs will mean that at the time of renewal the User will have two options to which the certificate signing request should be sent to.  If you are the only one who will be performing the thing you can do what you will, but will make it extremely complecated as well as it will prevent you from being able to revoke previously issued certificates.
I.e. you have a web site that uses/requires client certificates.  You issue those certificates to users, and then have to revoke it when their access is no longer authorized.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.


Author Comment

ID: 38422905
Hi, the setup is really stupid simple and we won't be using the CA for anything else than LDAP SSL. Otherwise we'll be using third party certificates.

The current 2003 CA is sitting on a server that is a DC and an Exchange 2003 server :(. Thus I want to get rid of it. The 2003 CA is currently in a stopped state.

Should I just create the new CA on the 2008 DC since the 2003 will be decommissioned in the next week or two or will that cause conflicts on the network?
LVL 81

Expert Comment

ID: 38422930
If you have a single purpose, you might want to look at using openssl
you can configure it as a CA and issue self signed certificates without relying on a single system.
i.e. you can copy the private/public certificates etc.


Accepted Solution

RFVDB earned 0 total points
ID: 38532526
One aspect of the Sonicwall requires a public certificate for LDAP over SSL (Anti-Spam plugin with LDAP integration). And only Thawte and Verisign certs are compatible.

I guess that's what I'll have to do for now - this link from Microsoft covers importing third part certificates for LDAP over SSL - http://support.microsoft.com/kb/321051

See any problem in doing this?
LVL 36

Expert Comment

by:Seth Simmons
ID: 40845501
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question