?
Solved

When Migrating the Certification Authority can a new server name be used

Posted on 2014-03-13
5
Medium Priority
?
9,186 Views
Last Modified: 2014-03-14
We have a client that has a DC with the Root CA installed on it. They are moving to a new data center thus the need for the migration. Moving the DC isn't an issue and we are recommending to install the new CA on a member server. The issue is the name of the CA server, the client would prefer to have a new name for the CA, though everything I read says to give the new server the same name. Is it possible to migrate the CA to a new server with a new name and not re-issue the certs and or break the configuration?

Thanks
0
Comment
Question by:MAFinazzo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39928488
You simply cannot change CA name once installed, its not supported. Maximum you can move CA server from one server to another by keeping same CA server hostname \ different CA server hostname

The CA server name is hardcoded in issued certificates CRL and AIA

How many certificates you have issued with this CA ?

If number of issued certificates are less, then I would suggest you to go for brand new CA with new CA name and new server host name and just uninstall old CA

But if this is not the case and if you want to retain old CA by any means, then there are two approaches

1  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and same CA server host name (Recommended all time)
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28338390.html

2  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA

CRL is used to check whether client certificate is expired \ revoked against certificate revocation list (CRL)
AIA is used to verify issuer certificate authenticity (Authority information access (AIA)

If you skip above step, then your existing issued certificates will not work as expected because they will fail to check CRL and AIA and then you need to enroll new certificates to clients where new CA server name will get included

Check below excellent articles
https://social.technet.microsoft.com/wiki/contents/articles/21076.upgrading-the-pki-from-windows-server-2008-r2-to-windows-server-2012-different-host-name-part-1.aspx

The below article will explain how to redirect old CRL and AIA points of old certificate authority to new CA CRL and AIA points
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

Mahesh
0
 

Author Comment

by:MAFinazzo
ID: 39929003
Mahesh,

Thank you for the response. You lost me a little in the below section, so on the destination server the hostname can be different? The IIS instance needs to have the name of the source server? Again thanks for jumping in.

Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39929066
OK
You cannot change CA name once deployed.
But you can have CA server name (not CA name) different from original CA server name if you wants

Only thing in that case your existing issued certificates by old CA will not be able to check CRL and AIA as these two are hardcoded in issued certificate properties with old CA server name
You can double click your existing certificate on client and go to details tab
you will find this info and also get feel what I am trying to say

So, in order to able to check CRL and AIA for existing certificate at new CA server location, you need to set URL redirection at DNS level so that those old urls will be resolved to new CA server CRL and AIA locations
Otherwise your existing certificates that are issued by old CA will become invalid

In order to work with DNS redirection and make CRL and AIA available to old certificates with new CA server, follow steps in below article
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

The above article is already mentioned in my 1st comment

My comment:
With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA

if you followed above article and do the steps with DNS, then you can simply ignore this comment as this is required separate approach
In this comment what I am doing:
I am installing IIS on windows based server and create same path as my old CA CRL and AIA path and copy my .crl and +crl and CA root certificate at this location and update it manually periodically
Now my existing issued certificates will be able to resolve CRL and AIA locations as appropriate and remains valid

If you do not want any hassles, you can simply migrate CA from one server to another by keeping same server name at source and destination

Let me know if you have any confusion please

Mahesh
0
 

Author Comment

by:MAFinazzo
ID: 39929084
OK!! I got it now.
0
 
LVL 64

Expert Comment

by:btan
ID: 39929135
I afraid not, to maintain continuity throughout the Active Directory, it is necessary to keep the same name. Consider a client with a certificate issued from the CA on Server A. That certificate directly references Server A and whenever a validation check is performed on the certificate (either by the client or a different client), roughly speaking, a revocation status request will be sent so Server A. Assuming Server A no longer exist or changed then the client's request will return "RPC Server Unavailable" and the certificate will be deemed invalid.

If the destination server is Windows Server 2008, it is supported to move the CA from one computer to a computer with different host name. However, please remember that we cannot change the CA name. See "The CA name must stay the same." (again) for "Computer to computer with host name change"
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question