Gene Weeg
asked on
Root Certificate change on domain controller
I have certificate called LESDDC02-CA and it has an expiration date of 1/25/2046. Due to some recent security changes I need to modify or create a new cert identical to this one with an expiration date of fewer than 650 days. Main driving point behind this is that Apple recently imposed cert restrictions within their new OS that does not allow certs that have expiration dates further than 768 days.
ASKER
I have 2 DCs. LESDDC01 and LESDDC02. LESDDC02 is the current AD CS. Would I then be able to install the AD CS role on LESDDC01 without causing issues?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just stumbled across something else. So here is what I did.
1. Grabbed a new MAC off the shelf.
2. Installed the Root Cert "LESDDC02-CA"
3. Everything worked fine.
4. Then found out another cert needs to be installed called "iBossCA". This is an Intermediate cert for our web filtering. I get the following error just going to yahoo.com.
Here is the cert information that I have found.
The web filtering cert and agent is what is triggering this warning about a weak key.
1. Grabbed a new MAC off the shelf.
2. Installed the Root Cert "LESDDC02-CA"
3. Everything worked fine.
4. Then found out another cert needs to be installed called "iBossCA". This is an Intermediate cert for our web filtering. I get the following error just going to yahoo.com.
Here is the cert information that I have found.
The web filtering cert and agent is what is triggering this warning about a weak key.
This is nothing.
This is merely a warning from most "security aware" that you are using http://yahoo.com versus ...
Consider it this way.
You are about to walk into a building, but a person is standing outside. The person cuts you off at Hi, I" and says please note your are speaking in a public space. Do you want to continue to speak, or should we enter and talk.
Since HTTP is unsecured, unencrypted data flow can be observed. so if you type
where is X if the line is observed your IP will have where is X as a searched item.
but if you accept this warning and proceed, at which point you will be redirected to https://www.yahoo.com
and you submit the same search where is X.
only Google, if not mistaken is the backend on which VZ's Yahoo relies. will know that your IP searched for this term.
https://www.seoreseller.com/blog/yahoo-inks-deal-to-display-google-search-results
Soon, they will force everyone to buy a cert for their personal web site!
This is merely a warning from most "security aware" that you are using http://yahoo.com versus ...
Consider it this way.
You are about to walk into a building, but a person is standing outside. The person cuts you off at Hi, I" and says please note your are speaking in a public space. Do you want to continue to speak, or should we enter and talk.
Since HTTP is unsecured, unencrypted data flow can be observed. so if you type
where is X if the line is observed your IP will have where is X as a searched item.
but if you accept this warning and proceed, at which point you will be redirected to https://www.yahoo.com
and you submit the same search where is X.
only Google, if not mistaken is the backend on which VZ's Yahoo relies. will know that your IP searched for this term.
https://www.seoreseller.com/blog/yahoo-inks-deal-to-display-google-search-results
Soon, they will force everyone to buy a cert for their personal web site!
I think you actually are misreading the issue.
as a simple counter: Unless your certificate was generated/created after Sep 1 2020, you are in the clear.
Further, the bulletin does not apply to the CA certificate but to the certificates issues to Servers, users, etc.
https://support.apple.com/en-us/HT211025
I.e. you have on Sep 2 2020 renewed a certificate for two resources
students.lesd.k12.az.us that is valid for 2 yesrs, till Sep 2 2022
parents.lesd.k12.az.us that is valid for 5 years, till Sep 2 2025
a parent and a child using the same apple products, the child has no issues accessing their designated site, while the parent runs into the issue addressed in the bulleting.
The remedy in such a circumstance is to reveoke the parents.lesd.k12.az.us and issue a new one with a shorter validity.
Pick any CA root certificate and you will see they are valid 10/20 years commonly.
With all said, you are in the clear and are not impacted by apple bulletin. It does not apply to the INTERNAL ROOT CA.