Link to home
Create AccountLog in
Avatar of MAFinazzo
MAFinazzo

asked on

When Migrating the Certification Authority can a new server name be used

We have a client that has a DC with the Root CA installed on it. They are moving to a new data center thus the need for the migration. Moving the DC isn't an issue and we are recommending to install the new CA on a member server. The issue is the name of the CA server, the client would prefer to have a new name for the CA, though everything I read says to give the new server the same name. Is it possible to migrate the CA to a new server with a new name and not re-issue the certs and or break the configuration?

Thanks
Avatar of Mahesh
Mahesh
Flag of India image

You simply cannot change CA name once installed, its not supported. Maximum you can move CA server from one server to another by keeping same CA server hostname \ different CA server hostname

The CA server name is hardcoded in issued certificates CRL and AIA

How many certificates you have issued with this CA ?

If number of issued certificates are less, then I would suggest you to go for brand new CA with new CA name and new server host name and just uninstall old CA

But if this is not the case and if you want to retain old CA by any means, then there are two approaches

1  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and same CA server host name (Recommended all time)
https://www.experts-exchange.com/questions/28338390/Windows-CA-migration-from-Windows-2003-R2-to-Windows-2008-R2.html

2  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA

CRL is used to check whether client certificate is expired \ revoked against certificate revocation list (CRL)
AIA is used to verify issuer certificate authenticity (Authority information access (AIA)

If you skip above step, then your existing issued certificates will not work as expected because they will fail to check CRL and AIA and then you need to enroll new certificates to clients where new CA server name will get included

Check below excellent articles
https://social.technet.microsoft.com/wiki/contents/articles/21076.upgrading-the-pki-from-windows-server-2008-r2-to-windows-server-2012-different-host-name-part-1.aspx

The below article will explain how to redirect old CRL and AIA points of old certificate authority to new CA CRL and AIA points
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

Mahesh
Avatar of MAFinazzo
MAFinazzo

ASKER

Mahesh,

Thank you for the response. You lost me a little in the below section, so on the destination server the hostname can be different? The IIS instance needs to have the name of the source server? Again thanks for jumping in.

Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
OK!! I got it now.
I afraid not, to maintain continuity throughout the Active Directory, it is necessary to keep the same name. Consider a client with a certificate issued from the CA on Server A. That certificate directly references Server A and whenever a validation check is performed on the certificate (either by the client or a different client), roughly speaking, a revocation status request will be sent so Server A. Assuming Server A no longer exist or changed then the client's request will return "RPC Server Unavailable" and the certificate will be deemed invalid.

If the destination server is Windows Server 2008, it is supported to move the CA from one computer to a computer with different host name. However, please remember that we cannot change the CA name. See "The CA name must stay the same." (again) for "Computer to computer with host name change"