Solved

CA server migration from Windows 2003 to Windows 2012 R2

Posted on 2016-08-01
12
127 Views
Last Modified: 2016-08-08
I have an internal root CA server that runs on Windows 2003, standalone, not connected to the network to issue SHA-1 certificates. Is it possible for me to have another internal root CA server running on Windows 2012 R2, standalone, not connected to the network to issue SHA-2 certificates?

This is so I can generate SHA-1 for legacy applications using existing CA and generate SHA-2 using new CA for the application those are currently using SHA-1 but can support SHA-2.

What is the best practice for achieve this? Will both root CA servers run on different names or same name. Can someone please advise me the step by step to achieve this? I want to migrate to SHA-2 but at the same time I don't want to affect my existing root CA.

Also, How will I renew the certificates of the existing applications using the new Windows 2012 R2 CA so they can use SHA-2?

Many Thanks
0
Comment
Question by:Member_2_7969993
  • 6
  • 6
12 Comments
 
LVL 22

Expert Comment

by:yo_bee
ID: 41738363
If you standup another Stand-Alone I do not think it will be an issue.
You will need to push out your new CA as a root CA for new renewals.
Once you have that pushed you can generate a new CSR to register for a new Cert.

What type of applications are you using this for?  If the only machine that has the cert is the server I am not seeing any issues.

I would like to have a little more insight on the project.
0
 

Author Comment

by:Member_2_7969993
ID: 41738560
The certificates are used for ISA/Exchange/Active Directory all 2003 bases where I will install the hotfix of SHA2. I also have couple of lagacy web based applications and old firewalls that will require SHA1 for the time being.
Can you please let me know the steps to push out your new 2012 CA as a root standalonr CA for new renewals.
Should it have the same name as the Windows 2003 CA server and it requires a CA config backup to be taken from 2003 and restored to 2012
OR this can be a new name with a fresh config.
My current CA server is not connected to any network and I use USB to copy the issued certificates.
0
 
LVL 22

Accepted Solution

by:
yo_bee earned 500 total points
ID: 41738906
I would not recommend using the same name for the server.
When you standup the 2012 stand-alone CA you will have a secondary Root CA in your environment.

Since the original Root CA server is not integrated with your Domain there is no tie to the 2003 CA.
Think of this as if you went from Versign to GoDaddy.  

You should be able to just request a new Cert for each one of these servers and apply it.  
Make sure you have a backup exported private key of each certificate you are looking to replace.

Prior to applying the new certificate makes sure you put out your new Root CA cert to all clients on your network.  Once complete you then can start the process of requesting new certs from the new Root CA.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:Member_2_7969993
ID: 41739345
If you can please provide some more info on the following:

what are the steps to export the private key and replace the ceritifate?
what are the steps to issue out the new Root CA cert to all clients?

Also, can you please confirm the final steps:

Install new standalone server (2008 R2 or 2012 R2)

Install CA services and configire it as Root CA

Put new Root CA cert to the clients that will support SHA-2 (Please provide the steps or link if possible)


Export the private key and replace the ceritifate.(Please provide the steps or link if possible)

Issue out the new Root CA cert to all clients.(Please provide the steps or link if possible)


Keep using Windows 2003 CA for lagacy applications we are using now.


I know I am asking for a lot of information so I will try to maximize the points when closing the case.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41741451
I am out of commission today, but I will try and help the best I can tomorrow
0
 

Author Comment

by:Member_2_7969993
ID: 41742728
thanks so much :)
0
 

Author Comment

by:Member_2_7969993
ID: 41747005
Hi yo_bee,

Can you please have a look at this today.

Thanks,
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41747296
I am pretty busy with my job and will not be able to.

Since this is a stand alone CA there are no harms buy standing up another Stand-alone CA in your infrastructure.

What I would do for testing is setup a test IIS server and request a cert from your current CA.
Once confirmed that the cert is valid request a new cert from your new CA.

Like I said since this is not integrated with your domain you have nothing to working about.
The only thing you want to do is use Group Policy to push out your new Root CA to all clients.
0
 

Author Closing Comment

by:Member_2_7969993
ID: 41747327
Many Thanks
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41747491
Did it work?
0
 

Author Comment

by:Member_2_7969993
ID: 41747557
I am still in the planning phase so gathering as much information as I can.
Thanks a lot.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41747602
Like I said if you stand up another server if will not hurt your environment.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server 12 and Office 2016 Application 12 25
Server 2008 Not services listed 23 44
My Server Turned Off 6 42
Best way to encrypt a xls file 8 14
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question