Silver_Power
asked on
Microsoft NPS, Redundancy
Hello Experts,
Can an NPS Subordinate CA be promoted/changed to Root CA, if the Root CA is not available? If so, can you please direct me to where I can find instructions.
Thanks in advance.
Can an NPS Subordinate CA be promoted/changed to Root CA, if the Root CA is not available? If so, can you please direct me to where I can find instructions.
Thanks in advance.
ASKER
Hi Kevin,
Yes you are right. My apologies, I may not have made myself clear. Microsoft AD CS is part of Microsoft NPS, and during installation, it prompts one to select Root CA or Subordinate CA, hence my question.
Please indulge me as I rephrase my question, in the event of the Root CA server crashing, can a Subordinate CA server be promoted to a Root CA? Thanks.
Yes you are right. My apologies, I may not have made myself clear. Microsoft AD CS is part of Microsoft NPS, and during installation, it prompts one to select Root CA or Subordinate CA, hence my question.
Please indulge me as I rephrase my question, in the event of the Root CA server crashing, can a Subordinate CA server be promoted to a Root CA? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It appears that we are trying to do is just not doable, and we have to look at other method.
The general recommendation is to take your root CA offline, and issue all certificates from a subordinate CA. That way, if the private keys ever get leaked, it it from the subordinate CA, and you can revoke it's certificate and all certificates it has issued, and setup a new subordinate CA that is signed by the root CA.