Certificate Authority Migration

Hello, I have 2 tier PKI with an offline root certificate and a domain intermediate certificate, using Active directory certificate services. I would like to remove the old intermediate certificate servers and create a new one on a Hyper-v virtual machine with windows 2012 R2, would you please offer the simplest way to do so and how can I review the implementation when done, how to test and verify it is working properly..
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Not sure what your difficulty is.
You could first remove the intermediary you wish to remove as to no longer issue new certificates.
Setup the new VM with appropriate roles, bring up the offline root in order to sign the new intermediaries certificate, make sure to either extend the root cert, to allow the intermediary to issue certs for sometime...

Then include the new one in the CAs to which requests could be submitted, while configuring the crl publication....

How long is the intermediate CA certificate is valid for?
Guy LidbetterCommented:
Hi Infernum,

This is actually quite an easy task.

Build the new Intermediary, start up the offline root and attain the new intermediary servers certificate.
make sure it is issuing certificates successfully and that they are trusted.

This will essentially mean you have two working intermediary CA's.

then just uninstall the the CA role from the old intermediary and ensure any CA services objects for that server are removed from Sites and Services.
If you are unsure, this cleanup link will help you find where to look...

Once done, fully decommission the old server.

Its worth mentioning that it is recommended before uninstalling the CA role, you revoke all certs issued by that CA and publish the CRL. Its a good idea!!! But not essential, as long as the certificates are valid they will still work without the issuer being online.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
not sure revoking is a good idea, though once decomissioned those certificates can not be voided. Though the root Ca can void the old intermediery cert.
Do not believe revoking the cert will trigger the re-enrollment.  Do not believe there is a way to force autoenrollment without the certificate having expired.
goign through each currently issued certificate by the old intermediate, after deactivating the old intermediate from issuing any more certs, to get a new certificate from the new intermediary, then you can issue the revocation  of all the certificates issued by this intermediary. As well as have the root CA revoke the intermediate's certificate.

Presumably the CRL is published by offline root Ca and the intermediary in a location accessible after either is retired/replaced.

On the offline root CA, it would be a good Idea to renew the root CA with a new Key prior to signing the new Intermediary CA cert.

Presumably the root CA public cert is published via GPO as trusted root CA.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.