Avatar of MAFinazzo
MAFinazzo asked on

When Migrating the Certification Authority can a new server name be used

We have a client that has a DC with the Root CA installed on it. They are moving to a new data center thus the need for the migration. Moving the DC isn't an issue and we are recommending to install the new CA on a member server. The issue is the name of the CA server, the client would prefer to have a new name for the CA, though everything I read says to give the new server the same name. Is it possible to migrate the CA to a new server with a new name and not re-issue the certs and or break the configuration?

Thanks
Active Directory

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
Mahesh

You simply cannot change CA name once installed, its not supported. Maximum you can move CA server from one server to another by keeping same CA server hostname \ different CA server hostname

The CA server name is hardcoded in issued certificates CRL and AIA

How many certificates you have issued with this CA ?

If number of issued certificates are less, then I would suggest you to go for brand new CA with new CA name and new server host name and just uninstall old CA

But if this is not the case and if you want to retain old CA by any means, then there are two approaches

1  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and same CA server host name (Recommended all time)
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28338390.html

2  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA

CRL is used to check whether client certificate is expired \ revoked against certificate revocation list (CRL)
AIA is used to verify issuer certificate authenticity (Authority information access (AIA)

If you skip above step, then your existing issued certificates will not work as expected because they will fail to check CRL and AIA and then you need to enroll new certificates to clients where new CA server name will get included

Check below excellent articles
https://social.technet.microsoft.com/wiki/contents/articles/21076.upgrading-the-pki-from-windows-server-2008-r2-to-windows-server-2012-different-host-name-part-1.aspx

The below article will explain how to redirect old CRL and AIA points of old certificate authority to new CA CRL and AIA points
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

Mahesh
ASKER
MAFinazzo

Mahesh,

Thank you for the response. You lost me a little in the below section, so on the destination server the hostname can be different? The IIS instance needs to have the name of the source server? Again thanks for jumping in.

Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA
ASKER CERTIFIED SOLUTION
Mahesh

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
MAFinazzo

OK!! I got it now.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
btan

I afraid not, to maintain continuity throughout the Active Directory, it is necessary to keep the same name. Consider a client with a certificate issued from the CA on Server A. That certificate directly references Server A and whenever a validation check is performed on the certificate (either by the client or a different client), roughly speaking, a revocation status request will be sent so Server A. Assuming Server A no longer exist or changed then the client's request will return "RPC Server Unavailable" and the certificate will be deemed invalid.

If the destination server is Windows Server 2008, it is supported to move the CA from one computer to a computer with different host name. However, please remember that we cannot change the CA name. See "The CA name must stay the same." (again) for "Computer to computer with host name change"