Windows Server 2008 R2 Thread, Creating a new CA instead of migrating 2003 x86 -> 2008R2 x64 in Technical; I have an inordinate number of tabs open at the moment about migrating a certificate authority from an x86 2003 ...
31st May 2012, 11:00 AM #1
Creating a new CA instead of migrating 2003 x86 -> 2008R2 x64
I have an inordinate number of tabs open at the moment about migrating a certificate authority from an x86 2003 DC to an x64 2008R2 DC with a different name and they all look, well, involved. Anything involving registry edits on a domain controller makes me think that maybe there's an easier way.
Looking at my existing CA, the only certificates currently valid are for the SSL connection on our ePortal page - easy enough to redo with new certificates. There's no EFS certificates, no connection certificates, nothing else special.
Am I better off just destroying the existing CA and setting a new one up?
31st May 2012, 02:19 PM #2
Anyone? :/ I can only pass so much time making new wallpapers, after all...
30th July 2012, 06:33 PM #3
I'm at the same stage sonofsanta. I'm thinking of going down the Nuke and reinstall fresh option al la AngryTechnicians' post here
Only main SSL certifcate I'm bothered about is already signed by an external source so it's only a few other SSL sites on the old RM box, but as it's getting a fresh 2008 install it's not a problem, and if our Radius complains it won't be hard to redo.
30th July 2012, 08:29 PM #4
Since you're not really using many certs and it's on a DC (don't do that in future - the DC adds greatly to the PITA for migration), I'd nuke it and go again.
But.......if parents have whitelisted that ePortal cert signed by your inhouse CA, you may cause yourself and the office phone calls. If you decide to nuke it, I'd buy a RealCert to prevent the phone calls.
Last edited by pete; 30th July 2012 at 08:30 PM.
30th July 2012, 08:42 PM #5
Cool, I'll nuke mine tomorrow as planned then since it doesn't matter if anyone had our cert whitelisted as the old RM Easylink install will be nuked along with it.
31st July 2012, 09:14 AM #6
Forgot I had this thread open.
Turns out that any certs issued by $originalCA that were still valid had been superseded by a proper SSL cert from GoDaddy anyway, so the nuclear option turned out to be far simpler. I then set up a new offline Enterprise Root CA, partly because it is good security practice, but mainly because that will be much easier to migrate in the future. My virtual DC is the Subordinate CA and does all the day to day work.
If it'd be useful, I can probably dig out the useful articles on nuking and rebuilding - I think technet has a good checklist on stripping an old CA out of AD (it lurks in more places than you'd expect), and I found a rather excellent blog post elsewhere that went through the process of building a root/subordinate infrastructure. It's not all that painful, though, and is doing the job just dandy for me now with HTTPS mode in SCCM2012.
By Dukey in forum Office Software
Last Post: 26th November 2010, 04:05 PM
By stretch3144 in forum Windows Server 2000/2003
Last Post: 22nd July 2010, 12:05 PM
By JJonas in forum Windows
Last Post: 1st April 2008, 11:49 PM
By Kyle in forum How do you do....it?
Last Post: 20th January 2006, 10:08 AM
By ninjabeaver in forum Windows
Last Post: 14th July 2005, 11:33 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread