Windows Server 2008 R2 Thread, Migrating internal Certificate Authority to new server in Technical; I'm after some advice from anyone with experience of moving the Certificate Authority in Windows Server to a new server, ...
Migrating internal Certificate Authority to new server
I'm after some advice from anyone with experience of moving the Certificate Authority in Windows Server to a new server, as I'm about to do so on my network.
Right now I am most of the way through scrapping our RM CC3 system in favour of a vanilla Server 2008 R2/Windows 7 system. The time has almost come to switch off the last RM server; the last two things I need to do are to transfer the Operations Master role (which seems easy peasy) and the slightly more daunting task of moving the Certificate Authority.
An alternate option I have seen proposed is to set up a new CA and run it in parallel with the old one while I switch all the machines that currently use certificates to the new CA. Given that 99% of the existing certificates are computer auto-enrolment certificates, this doesn't seem like a bad idea.
Has anyone here done this before and can offer any words of wisdom?
Last edited by AngryTechnician; 12th August 2010 at 04:56 PM.
I'm planning to nuke ours from orbit and rebuild/reimport existing certs into AD as trusted as a stopgap. It's on a DC that's also being decommissioned which makes it doubly annoying to work on. I also read those while I was researching and concluded it would be faster for me to just rebuild from scratch.
However, our only certs are for Wireless Auth, Radius for a couple of things and a handful of internal certs for things like EFS decryption. If you're using user certs as well, that may not be an option.
I think mine is used for even less than yours, since we have no wireless at present. Aside from a couple of internal web server and DC certificates, I don't think the computer certificates are even used for anything.
Having just setup a new CA (rather than reuse the existing one that I'd previously setup) for our SCCM install (gahhh!) I'd say that it's probably just easier to setup a new CA and issue new certificates manually for the few that may need that
Well, I've decided to go down the new CA route; have installed a new Enterprise CA into Active Directory this morning and am now going through removing computer certificates on the servers and allowing them to pick up a new one via auto-enrolment. Seems to be going fairly smoothly so far...