Link to home
Create AccountLog in
Avatar of infernum
infernum

asked on

Certificate Authority Migration

Hello, I have 2 tier PKI with an offline root certificate and a domain intermediate certificate, using Active directory certificate services. I would like to remove the old intermediate certificate servers and create a new one on a Hyper-v virtual machine with windows 2012 R2, would you please offer the simplest way to do so and how can I review the implementation when done, how to test and verify it is working properly..
Avatar of arnold
arnold
Flag of United States of America image

Not sure what your difficulty is.
You could first remove the intermediary you wish to remove as to no longer issue new certificates.
Setup the new VM with appropriate roles, bring up the offline root in order to sign the new intermediaries certificate, make sure to either extend the root cert, to allow the intermediary to issue certs for sometime...

Then include the new one in the CAs to which requests could be submitted, while configuring the crl publication....

How long is the intermediate CA certificate is valid for?
ASKER CERTIFIED SOLUTION
Avatar of Guy Lidbetter
Guy Lidbetter
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
not sure revoking is a good idea, though once decomissioned those certificates can not be voided. Though the root Ca can void the old intermediery cert.
Do not believe revoking the cert will trigger the re-enrollment.  Do not believe there is a way to force autoenrollment without the certificate having expired.
goign through each currently issued certificate by the old intermediate, after deactivating the old intermediate from issuing any more certs, to get a new certificate from the new intermediary, then you can issue the revocation  of all the certificates issued by this intermediary. As well as have the root CA revoke the intermediate's certificate.

Presumably the CRL is published by offline root Ca and the intermediary in a location accessible after either is retired/replaced.

On the offline root CA, it would be a good Idea to renew the root CA with a new Key prior to signing the new Intermediary CA cert.

Presumably the root CA public cert is published via GPO as trusted root CA.