+ Post New Thread
Results 1 to 5 of 5
Windows Server 2008 R2 Thread, Migrating internal Certificate Authority to new server in Technical; I'm after some advice from anyone with experience of moving the Certificate Authority in Windows Server to a new server, ...
  1. #1

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394

    Migrating internal Certificate Authority to new server

    I'm after some advice from anyone with experience of moving the Certificate Authority in Windows Server to a new server, as I'm about to do so on my network.

    Right now I am most of the way through scrapping our RM CC3 system in favour of a vanilla Server 2008 R2/Windows 7 system. The time has almost come to switch off the last RM server; the last two things I need to do are to transfer the Operations Master role (which seems easy peasy) and the slightly more daunting task of moving the Certificate Authority.

    I've read this quick guide as well as the not so quick Active Directory Certificate Services Migration Guide on TechNet, which frankly makes the process seem more complicated than finding the Higgs boson.

    An alternate option I have seen proposed is to set up a new CA and run it in parallel with the old one while I switch all the machines that currently use certificates to the new CA. Given that 99% of the existing certificates are computer auto-enrolment certificates, this doesn't seem like a bad idea.

    Has anyone here done this before and can offer any words of wisdom?
    Last edited by AngryTechnician; 12th August 2010 at 03:56 PM.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,637
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    I'm planning to nuke ours from orbit and rebuild/reimport existing certs into AD as trusted as a stopgap. It's on a DC that's also being decommissioned which makes it doubly annoying to work on. I also read those while I was researching and concluded it would be faster for me to just rebuild from scratch.

    However, our only certs are for Wireless Auth, Radius for a couple of things and a handful of internal certs for things like EFS decryption. If you're using user certs as well, that may not be an option.

  3. #3

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    I think mine is used for even less than yours, since we have no wireless at present. Aside from a couple of internal web server and DC certificates, I don't think the computer certificates are even used for anything.

  4. #4

    Join Date
    Jan 2009
    Location
    England
    Posts
    1,494
    Thank Post
    300
    Thanked 304 Times in 263 Posts
    Rep Power
    82
    Having just setup a new CA (rather than reuse the existing one that I'd previously setup) for our SCCM install (gahhh!) I'd say that it's probably just easier to setup a new CA and issue new certificates manually for the few that may need that

  5. #5

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    Well, I've decided to go down the new CA route; have installed a new Enterprise CA into Active Directory this morning and am now going through removing computer certificates on the servers and allowing them to pick up a new one via auto-enrolment. Seems to be going fairly smoothly so far...

SHARE:
+ Post New Thread

Similar Threads

  1. SSL certificate internal/external problem...
    By Vstar in forum Windows Server 2000/2003
    Replies: 4
    Last Post: 20th May 2010, 03:05 PM
  2. exchange 2007 : An internal transport certificate expired
    By chazzy2501 in forum Windows Server 2000/2003
    Replies: 3
    Last Post: 28th April 2010, 04:35 PM
  3. Certificate Authority - New Template
    By Michael_84 in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 12th August 2009, 11:36 PM
  4. Migrating to a new server...
    By PrimaryTech in forum Windows
    Replies: 2
    Last Post: 2nd October 2007, 08:02 AM
  5. Certificate Authority
    By plexer in forum *nix
    Replies: 9
    Last Post: 15th October 2006, 12:57 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •