Link to home
Create AccountLog in
Avatar of ndalmolin_13
ndalmolin_13Flag for United States of America

asked on

PKI (Certificate Services) - Migrate or Start from Scratch

Hello Experts,

We have an existing two-tier PKI environment at work.  Both the offline root CA and the online SubCA are running Server 2012 R2.  Since Windows Server 2012 R2 goes end of life in October, we obviously need to move PKI operations to Server 2019.  In really digging into the existing PKI configuration, I have discovered that some elements of the existing PKI solution could have been done differently.  I'm thinking about starting from scratch with a new offline root CA and new issuing CAs.  My understanding is this can be done.  What are your thoughts on starting over?  If I did start over, would I revoke the existing certificates and put those in the new CAs CRL?

If I don't start over, my thought is to do the following:

1.  Migrate the offline root CA to a new server (there are lots of documents on how to do this).

2.  Stand up a new issuing CA.

3.  Stand up a web server to host the CRL and web operations related to PKI.

I'm looking for thoughts and opinions on the best coarse of action.  



Avatar of DEMAN-BARCELO (MVP) Thierry
Flag of France image


Start from scratch can be done when the number of emitted certificates is relatively low and no accesses depending highly on the PKI (As VPN, network restrictions, WIFI,...).

For the migration, you can do it migrating to new servers (but also migrating the servers to newest version of Windows).

Note that upgrading the servers, you will need to do some steps to improve your security and use new features.

In your situation, depending of the life duration of the root, I would probably upgrade the root, and creating a new On-line SubCA.

The important thing could be to maintain a specific web/url for the PKI/Crls independent of the PKI servers.

This URL should be referenced in existing/emitted certificates, so revoked certificates can be accessed and verified before and after migration.



I just did an in-place upgrade of a PKI environment that handles 150.000 users and I had no issues after. I went from 2012 R2 to 2019 and choose this route instead of a migration so admins in the enterprise don't have to import the new root and intermediate CAs on their non-domain joined devices. It involves a lot of communications and services might be disrupted using a migration.

You have to know how many networking equipment, Linux machines or anything that is not domain joined you have in your environment, because these will have to get the new root and intermediate certs. If this is not your case, then a migration will be good with an offline Root CA, one or two issuing CAs (depending on the number of devices), and one or two CRL/AIA/OCSP server(s).

Avatar of ndalmolin_13


So the website that has the PKI/CRLs is curranty on the SubCA running Server 2012 R2.  Can I move that to a dedicated web server?  I think I can as a FQDN was used in setting up the publication URLs as opposed to IP addresses of the server.  I think I would just have to repoint DNS.

Yes, you can move the crl website or better duplicate the data on the new website.

Take in account, that each Crl means 2 tasks in the CA.

- one to copy the files using the Windows permissions (for automatic updates)

- another to indicate the crl website ( if it is a new path)

How do I duplicate the data to the new website?  Is that done through IIS?

Avatar of Adrian Costea
Adrian Costea
Flag of Romania image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account

Yep.  I'm standing up some virtual machines as we speak to lab this up.  Thanks for your help.

The copy is not done by IIS, but just indicating the paths in the configuration of the authority.

As indicated in my precedent answer, you have to indicate/create:

- A remote path under the form "\\IISserver\Sharename$\folder". Where the authority will copy the updated files
- The webserver FQDN URL where the clients will find the CRL information.

Note that you have to do the same to publish the authority itself (Under AIA).

Thank you all for your help