We help IT Professionals succeed at work.

Certificate Authority Migration

Last Modified: 2015-09-23
Hello, I have 2 tier PKI with an offline root certificate and a domain intermediate certificate, using Active directory certificate services. I would like to remove the old intermediate certificate servers and create a new one on a Hyper-v virtual machine with windows 2012 R2, would you please offer the simplest way to do so and how can I review the implementation when done, how to test and verify it is working properly..
Watch Question

Distinguished Expert 2019

Not sure what your difficulty is.
You could first remove the intermediary you wish to remove as to no longer issue new certificates.
Setup the new VM with appropriate roles, bring up the offline root in order to sign the new intermediaries certificate, make sure to either extend the root cert, to allow the intermediary to issue certs for sometime...

Then include the new one in the CAs to which requests could be submitted, while configuring the crl publication....

How long is the intermediate CA certificate is valid for?
Top Expert 2015
This one is on us!
(Get your first solution completely free - no credit card required)
Distinguished Expert 2019

not sure revoking is a good idea, though once decomissioned those certificates can not be voided. Though the root Ca can void the old intermediery cert.
Do not believe revoking the cert will trigger the re-enrollment.  Do not believe there is a way to force autoenrollment without the certificate having expired.
goign through each currently issued certificate by the old intermediate, after deactivating the old intermediate from issuing any more certs, to get a new certificate from the new intermediary, then you can issue the revocation  of all the certificates issued by this intermediary. As well as have the root CA revoke the intermediate's certificate.

Presumably the CRL is published by offline root Ca and the intermediary in a location accessible after either is retired/replaced.

On the offline root CA, it would be a good Idea to renew the root CA with a new Key prior to signing the new Intermediary CA cert.

Presumably the root CA public cert is published via GPO as trusted root CA.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.