+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 R2 Thread, Creating a new CA instead of migrating 2003 x86 -> 2008R2 x64 in Technical; I have an inordinate number of tabs open at the moment about migrating a certificate authority from an x86 2003 ...
  1. #1

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,004
    Thank Post
    876
    Thanked 1,458 Times in 1,002 Posts
    Blog Entries
    47
    Rep Power
    644

    Question Creating a new CA instead of migrating 2003 x86 -> 2008R2 x64

    I have an inordinate number of tabs open at the moment about migrating a certificate authority from an x86 2003 DC to an x64 2008R2 DC with a different name and they all look, well, involved. Anything involving registry edits on a domain controller makes me think that maybe there's an easier way.

    Looking at my existing CA, the only certificates currently valid are for the SSL connection on our ePortal page - easy enough to redo with new certificates. There's no EFS certificates, no connection certificates, nothing else special.

    Am I better off just destroying the existing CA and setting a new one up?

  2. #2

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,004
    Thank Post
    876
    Thanked 1,458 Times in 1,002 Posts
    Blog Entries
    47
    Rep Power
    644
    Anyone? :/ I can only pass so much time making new wallpapers, after all...

  3. #3
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    601
    Thank Post
    4
    Thanked 133 Times in 124 Posts
    Rep Power
    50
    I'm at the same stage sonofsanta. I'm thinking of going down the Nuke and reinstall fresh option al la AngryTechnicians' post here

    Only main SSL certifcate I'm bothered about is already signed by an external source so it's only a few other SSL sites on the old RM box, but as it's getting a fresh 2008 install it's not a problem, and if our Radius complains it won't be hard to redo.

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,652
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    Since you're not really using many certs and it's on a DC (don't do that in future - the DC adds greatly to the PITA for migration), I'd nuke it and go again.

    But.......if parents have whitelisted that ePortal cert signed by your inhouse CA, you may cause yourself and the office phone calls. If you decide to nuke it, I'd buy a RealCert to prevent the phone calls.
    Last edited by pete; 30th July 2012 at 07:30 PM.

  5. #5
    Boredguy's Avatar
    Join Date
    Jun 2011
    Location
    Swindon
    Posts
    601
    Thank Post
    4
    Thanked 133 Times in 124 Posts
    Rep Power
    50
    Cool, I'll nuke mine tomorrow as planned then since it doesn't matter if anyone had our cert whitelisted as the old RM Easylink install will be nuked along with it.

  6. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,004
    Thank Post
    876
    Thanked 1,458 Times in 1,002 Posts
    Blog Entries
    47
    Rep Power
    644
    Forgot I had this thread open.

    Turns out that any certs issued by $originalCA that were still valid had been superseded by a proper SSL cert from GoDaddy anyway, so the nuclear option turned out to be far simpler. I then set up a new offline Enterprise Root CA, partly because it is good security practice, but mainly because that will be much easier to migrate in the future. My virtual DC is the Subordinate CA and does all the day to day work.

    If it'd be useful, I can probably dig out the useful articles on nuking and rebuilding - I think technet has a good checklist on stripping an old CA out of AD (it lurks in more places than you'd expect), and I found a rather excellent blog post elsewhere that went through the process of building a root/subordinate infrastructure. It's not all that painful, though, and is doing the job just dandy for me now with HTTPS mode in SCCM2012.

SHARE:
+ Post New Thread

Similar Threads

  1. creating a new public folder in outlook 2003 problem
    By Dukey in forum Office Software
    Replies: 1
    Last Post: 26th November 2010, 03:05 PM
  2. Creating a new user account in Windows Server 2003
    By stretch3144 in forum Windows Server 2000/2003
    Replies: 5
    Last Post: 22nd July 2010, 11:05 AM
  3. Replies: 2
    Last Post: 1st April 2008, 10:49 PM
  4. Question about fresh install of server 2003.
    By Kyle in forum How do you do....it?
    Replies: 8
    Last Post: 20th January 2006, 09:08 AM
  5. Creating a new client image.
    By ninjabeaver in forum Windows
    Replies: 14
    Last Post: 14th July 2005, 10:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •