4

Using the Microsoft CA is there any way to cut over to a new certificate authority from an intermediate authority?

Both my systems are Microsoft CAs - I have a 2008 R2 Enterprise CA (intermediate) and an old 2003 CA (root). The 2003 box bit the dust and I don't have good backups. I still have a few months before the CRL expires; instead of having to cut over to a new intermediate authority is there a ready way to simply point this intermediate authority to a new offline CA?

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113

2 Answers2

1

MS have good docs in this area, e.g.: Active Directory Certificate Services Migration Guide

Simon Catlin
  • 5,222
  • 3
  • 16
  • 20
  • I've already looked at those pages. Unless you can point me to a specific page of some use I don't think that will be much help. – Tim Brigham Sep 10 '12 at 20:52
  • The steps for an enterprise CA migration will be almost identical to swapping out your standalone root CA. Create a virtualised test rig with a backup of a DC and your CA(s) restored. – Simon Catlin Sep 10 '12 at 21:16
  • that appears to make the assumption that the offline root is available. Did I miss something? – Tim Brigham Sep 10 '12 at 22:09
1

Based on my research it does appear that it is possible to do this by adding the new CA to active directory, performing a reenroll certificate holders command on all automatically enrolled templates and manually updating the web, etc templates.

Since my organization had a CA on a box with a sharepoint installation we went ahead and took this opportunity to split up those roles.

Shane's answer at Adding new root/enterprise CA without disturbing existing one? proved quite valuable for this process.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113