RFVDB
asked on
Setup a 2nd CA for LDAP SSL
I have a 2003 server with a CA on it that is stopped. We will be decommissioning this server in the next 2 weeks or so.
I have a 2008R2 DC that I want to setup LDAP over SSL to our Sonicwall router for LDAP integration.
Per this article () you can just install an Enterprise Root CA on the 2008R2 DC and LDAPS will be enabled automatically.
However, my concern is if I already have a CA on the 2003 server, will it cause a conflict on the active directory network? or will they be completely seperate?
Also, another option I have since installing an Enterprise Root CA on a DC is not recommended is to create a certificate from the current CA on the 2003 server. However my concern is if I decommission that CA in 2 weeks, will that be a problem in using the certificate or does it not matter? Can I just setup another CA in 5 years to recreate the certificate when it expires?
I'm not that familiar with using Microsoft CAs so want to keep it as simple as possible and thus the above questions. Thanks.
I have a 2008R2 DC that I want to setup LDAP over SSL to our Sonicwall router for LDAP integration.
Per this article () you can just install an Enterprise Root CA on the 2008R2 DC and LDAPS will be enabled automatically.
However, my concern is if I already have a CA on the 2003 server, will it cause a conflict on the active directory network? or will they be completely seperate?
Also, another option I have since installing an Enterprise Root CA on a DC is not recommended is to create a certificate from the current CA on the 2003 server. However my concern is if I decommission that CA in 2 weeks, will that be a problem in using the certificate or does it not matter? Can I just setup another CA in 5 years to recreate the certificate when it expires?
I'm not that familiar with using Microsoft CAs so want to keep it as simple as possible and thus the above questions. Thanks.
ASKER
Thanks.
Could we just:
1) Create a certificate with the current CA, decommission it, then in 5 years create a new CA and register the certificate?
or
2) Just create a 2nd CA right now on the DC in question or elsewhere for a more permanent solution, or will that conflict with another CA being on the network/domain?
Thanks.
Could we just:
1) Create a certificate with the current CA, decommission it, then in 5 years create a new CA and register the certificate?
or
2) Just create a 2nd CA right now on the DC in question or elsewhere for a more permanent solution, or will that conflict with another CA being on the network/domain?
Thanks.
Backup up and restoring the CA data might be a better approach.
you could, but have to be aware of the concequences of continually adding/managing the CA.
Creating a VM CA that will be kept offline unless a subordinate CA certificate needs to be renewed is a choice that would maintain an active CA that can issue/renew certificates and will be trusted if the same key is used on the Root CA.
TWO non related CAs will mean that at the time of renewal the User will have two options to which the certificate signing request should be sent to. If you are the only one who will be performing the thing you can do what you will, but will make it extremely complecated as well as it will prevent you from being able to revoke previously issued certificates.
I.e. you have a web site that uses/requires client certificates. You issue those certificates to users, and then have to revoke it when their access is no longer authorized.
you could, but have to be aware of the concequences of continually adding/managing the CA.
Creating a VM CA that will be kept offline unless a subordinate CA certificate needs to be renewed is a choice that would maintain an active CA that can issue/renew certificates and will be trusted if the same key is used on the Root CA.
TWO non related CAs will mean that at the time of renewal the User will have two options to which the certificate signing request should be sent to. If you are the only one who will be performing the thing you can do what you will, but will make it extremely complecated as well as it will prevent you from being able to revoke previously issued certificates.
I.e. you have a web site that uses/requires client certificates. You issue those certificates to users, and then have to revoke it when their access is no longer authorized.
ASKER
Hi, the setup is really stupid simple and we won't be using the CA for anything else than LDAP SSL. Otherwise we'll be using third party certificates.
The current 2003 CA is sitting on a server that is a DC and an Exchange 2003 server :(. Thus I want to get rid of it. The 2003 CA is currently in a stopped state.
Should I just create the new CA on the 2008 DC since the 2003 will be decommissioned in the next week or two or will that cause conflicts on the network?
The current 2003 CA is sitting on a server that is a DC and an Exchange 2003 server :(. Thus I want to get rid of it. The 2003 CA is currently in a stopped state.
Should I just create the new CA on the 2008 DC since the 2003 will be decommissioned in the next week or two or will that cause conflicts on the network?
If you have a single purpose, you might want to look at using openssl
you can configure it as a CA and issue self signed certificates without relying on a single system.
i.e. you can copy the private/public certificates etc.
http://www.openssl.org/related/binaries.html
you can configure it as a CA and issue self signed certificates without relying on a single system.
i.e. you can copy the private/public certificates etc.
http://www.openssl.org/related/binaries.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
One option is to backup the current win2k3 and restore the CA within a VM that an the be kept off while the subordinate/issuing CA issues/signs any new certs. When the subordinate CA certificate is about to expire, you would fire up the VM CA, Renew the subordinate CA certificate and offline it again. It would be up to you whether to renew the subordinate using the existing or a new key. The same applies when the VM ca needs renewing.
Remember to add the CA root and subordinate within the GPO publishing the two as a trusted root certificate.
Make sure have backup setups for the CAs including certificates.
http://technet.microsoft.com/en-us/library/cc779540(v=ws.10).aspx