Avatar of infernum
 asked on

Certificate Authority Migration

Hello, I have 2 tier PKI with an offline root certificate and a domain intermediate certificate, using Active directory certificate services. I would like to remove the old intermediate certificate servers and create a new one on a Hyper-v virtual machine with windows 2012 R2, would you please offer the simplest way to do so and how can I review the implementation when done, how to test and verify it is working properly..
Windows Server 2012Hyper-VActive DirectoryEncryption

Avatar of undefined
Last Comment

8/22/2022 - Mon

Not sure what your difficulty is.
You could first remove the intermediary you wish to remove as to no longer issue new certificates.
Setup the new VM with appropriate roles, bring up the offline root in order to sign the new intermediaries certificate, make sure to either extend the root cert, to allow the intermediary to issue certs for sometime...

Then include the new one in the CAs to which requests could be submitted, while configuring the crl publication....

How long is the intermediate CA certificate is valid for?
Guy Lidbetter

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

not sure revoking is a good idea, though once decomissioned those certificates can not be voided. Though the root Ca can void the old intermediery cert.
Do not believe revoking the cert will trigger the re-enrollment.  Do not believe there is a way to force autoenrollment without the certificate having expired.
goign through each currently issued certificate by the old intermediate, after deactivating the old intermediate from issuing any more certs, to get a new certificate from the new intermediary, then you can issue the revocation  of all the certificates issued by this intermediary. As well as have the root CA revoke the intermediate's certificate.

Presumably the CRL is published by offline root Ca and the intermediary in a location accessible after either is retired/replaced.

On the offline root CA, it would be a good Idea to renew the root CA with a new Key prior to signing the new Intermediary CA cert.

Presumably the root CA public cert is published via GPO as trusted root CA.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck