Solved

When Migrating the Certification Authority can a new server name be used

Posted on 2014-03-13
5
5,759 Views
Last Modified: 2014-03-14
We have a client that has a DC with the Root CA installed on it. They are moving to a new data center thus the need for the migration. Moving the DC isn't an issue and we are recommending to install the new CA on a member server. The issue is the name of the CA server, the client would prefer to have a new name for the CA, though everything I read says to give the new server the same name. Is it possible to migrate the CA to a new server with a new name and not re-issue the certs and or break the configuration?

Thanks
0
Comment
Question by:MAFinazzo
  • 2
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39928488
You simply cannot change CA name once installed, its not supported. Maximum you can move CA server from one server to another by keeping same CA server hostname \ different CA server hostname

The CA server name is hardcoded in issued certificates CRL and AIA

How many certificates you have issued with this CA ?

If number of issued certificates are less, then I would suggest you to go for brand new CA with new CA name and new server host name and just uninstall old CA

But if this is not the case and if you want to retain old CA by any means, then there are two approaches

1  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and same CA server host name (Recommended all time)
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28338390.html

2  Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA

CRL is used to check whether client certificate is expired \ revoked against certificate revocation list (CRL)
AIA is used to verify issuer certificate authenticity (Authority information access (AIA)

If you skip above step, then your existing issued certificates will not work as expected because they will fail to check CRL and AIA and then you need to enroll new certificates to clients where new CA server name will get included

Check below excellent articles
https://social.technet.microsoft.com/wiki/contents/articles/21076.upgrading-the-pki-from-windows-server-2008-r2-to-windows-server-2012-different-host-name-part-1.aspx

The below article will explain how to redirect old CRL and AIA points of old certificate authority to new CA CRL and AIA points
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

Mahesh
0
 

Author Comment

by:MAFinazzo
ID: 39929003
Mahesh,

Thank you for the response. You lost me a little in the below section, so on the destination server the hostname can be different? The IIS instance needs to have the name of the source server? Again thanks for jumping in.

Migrate CA server to another server by keeping same CA name (You cannot change CA name) and different server name
http://technet.microsoft.com/en-us/library/dn486797.aspx - All steps outlined here

With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39929066
OK
You cannot change CA name once deployed.
But you can have CA server name (not CA name) different from original CA server name if you wants

Only thing in that case your existing issued certificates by old CA will not be able to check CRL and AIA as these two are hardcoded in issued certificate properties with old CA server name
You can double click your existing certificate on client and go to details tab
you will find this info and also get feel what I am trying to say

So, in order to able to check CRL and AIA for existing certificate at new CA server location, you need to set URL redirection at DNS level so that those old urls will be resolved to new CA server CRL and AIA locations
Otherwise your existing certificates that are issued by old CA will become invalid

In order to work with DNS redirection and make CRL and AIA available to old certificates with new CA server, follow steps in below article
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

The above article is already mentioned in my 1st comment

My comment:
With this approach you can migrate CA server on server with different hostname
Since CRL and AIA is hardcoded with old CA server name, you must provision IIS instance some where and put your CA root certificate and CRL there so that hardcoded location can resolved to that iis instance to get CRL and AIA

if you followed above article and do the steps with DNS, then you can simply ignore this comment as this is required separate approach
In this comment what I am doing:
I am installing IIS on windows based server and create same path as my old CA CRL and AIA path and copy my .crl and +crl and CA root certificate at this location and update it manually periodically
Now my existing issued certificates will be able to resolve CRL and AIA locations as appropriate and remains valid

If you do not want any hassles, you can simply migrate CA from one server to another by keeping same server name at source and destination

Let me know if you have any confusion please

Mahesh
0
 

Author Comment

by:MAFinazzo
ID: 39929084
OK!! I got it now.
0
 
LVL 61

Expert Comment

by:btan
ID: 39929135
I afraid not, to maintain continuity throughout the Active Directory, it is necessary to keep the same name. Consider a client with a certificate issued from the CA on Server A. That certificate directly references Server A and whenever a validation check is performed on the certificate (either by the client or a different client), roughly speaking, a revocation status request will be sent so Server A. Assuming Server A no longer exist or changed then the client's request will return "RPC Server Unavailable" and the certificate will be deemed invalid.

If the destination server is Windows Server 2008, it is supported to move the CA from one computer to a computer with different host name. However, please remember that we cannot change the CA name. See "The CA name must stay the same." (again) for "Computer to computer with host name change"
0

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now