asked on
Certificate Authority Migration
Hello, I have 2 tier PKI with an offline root certificate and a domain intermediate certificate, using Active directory certificate services. I would like to remove the old intermediate certificate servers and create a new one on a Hyper-v virtual machine with windows 2012 R2, would you please offer the simplest way to do so and how can I review the implementation when done, how to test and verify it is working properly..
Windows Server 2012Hyper-VActive DirectoryEncryption
Last Comment
arnold
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
not sure revoking is a good idea, though once decomissioned those certificates can not be voided. Though the root Ca can void the old intermediery cert.
Do not believe revoking the cert will trigger the re-enrollment. Do not believe there is a way to force autoenrollment without the certificate having expired.
goign through each currently issued certificate by the old intermediate, after deactivating the old intermediate from issuing any more certs, to get a new certificate from the new intermediary, then you can issue the revocation of all the certificates issued by this intermediary. As well as have the root CA revoke the intermediate's certificate.
Presumably the CRL is published by offline root Ca and the intermediary in a location accessible after either is retired/replaced.
On the offline root CA, it would be a good Idea to renew the root CA with a new Key prior to signing the new Intermediary CA cert.
Presumably the root CA public cert is published via GPO as trusted root CA.
Do not believe revoking the cert will trigger the re-enrollment. Do not believe there is a way to force autoenrollment without the certificate having expired.
goign through each currently issued certificate by the old intermediate, after deactivating the old intermediate from issuing any more certs, to get a new certificate from the new intermediary, then you can issue the revocation of all the certificates issued by this intermediary. As well as have the root CA revoke the intermediate's certificate.
Presumably the CRL is published by offline root Ca and the intermediary in a location accessible after either is retired/replaced.
On the offline root CA, it would be a good Idea to renew the root CA with a new Key prior to signing the new Intermediary CA cert.
Presumably the root CA public cert is published via GPO as trusted root CA.
You could first remove the intermediary you wish to remove as to no longer issue new certificates.
Setup the new VM with appropriate roles, bring up the offline root in order to sign the new intermediaries certificate, make sure to either extend the root cert, to allow the intermediary to issue certs for sometime...
Then include the new one in the CAs to which requests could be submitted, while configuring the crl publication....
How long is the intermediate CA certificate is valid for?