Link to home
Start Free TrialLog in
Avatar of Silver_Power
Silver_PowerFlag for Canada

asked on

Microsoft NPS, Redundancy

Hello Experts,


Can an NPS Subordinate CA be promoted/changed to Root CA, if the Root CA is not available?  If so, can you please direct me to where I can find instructions.

Thanks in advance.
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

Microsoft NPS is generally known as Network Policy Server, aka RADIUS. It has nothing to do with Microsoft Certificate Services.

The general recommendation is to take your root CA offline, and issue all certificates from a subordinate CA. That way, if the private keys ever get leaked, it it from the subordinate CA, and you can revoke it's certificate and all certificates it has issued, and setup a new subordinate CA that is signed by the root CA.
Avatar of Silver_Power

ASKER

Hi Kevin,

Yes you are right.  My apologies, I may not have made myself clear.   Microsoft AD CS is part of Microsoft NPS, and during installation, it prompts one to select Root CA or Subordinate CA, hence my question.  

Please indulge me as I rephrase my question, in the event of the Root CA server crashing, can a Subordinate CA server be promoted to a Root CA?  Thanks.
ASKER CERTIFIED SOLUTION
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It appears that we are trying to do is just not doable, and we have to look at other method.