Anyone? :/ I can only pass so much time making new wallpapers, after all...
I have an inordinate number of tabs open at the moment about migrating a certificate authority from an x86 2003 DC to an x64 2008R2 DC with a different name and they all look, well, involved. Anything involving registry edits on a domain controller makes me think that maybe there's an easier way.
Looking at my existing CA, the only certificates currently valid are for the SSL connection on our ePortal page - easy enough to redo with new certificates. There's no EFS certificates, no connection certificates, nothing else special.
Am I better off just destroying the existing CA and setting a new one up?
I'm at the same stage sonofsanta. I'm thinking of going down the Nuke and reinstall fresh option al la AngryTechnicians' post here
Only main SSL certifcate I'm bothered about is already signed by an external source so it's only a few other SSL sites on the old RM box, but as it's getting a fresh 2008 install it's not a problem, and if our Radius complains it won't be hard to redo.
Since you're not really using many certs and it's on a DC (don't do that in future - the DC adds greatly to the PITA for migration), I'd nuke it and go again.
But.......if parents have whitelisted that ePortal cert signed by your inhouse CA, you may cause yourself and the office phone calls. If you decide to nuke it, I'd buy a RealCert to prevent the phone calls.
Last edited by pete; 30th July 2012 at 08:30 PM.
Cool, I'll nuke mine tomorrow as planned then since it doesn't matter if anyone had our cert whitelisted as the old RM Easylink install will be nuked along with it.
Forgot I had this thread open.
Turns out that any certs issued by $originalCA that were still valid had been superseded by a proper SSL cert from GoDaddy anyway, so the nuclear option turned out to be far simpler. I then set up a new offline Enterprise Root CA, partly because it is good security practice, but mainly because that will be much easier to migrate in the future. My virtual DC is the Subordinate CA and does all the day to day work.
If it'd be useful, I can probably dig out the useful articles on nuking and rebuilding - I think technet has a good checklist on stripping an old CA out of AD (it lurks in more places than you'd expect), and I found a rather excellent blog post elsewhere that went through the process of building a root/subordinate infrastructure. It's not all that painful, though, and is doing the job just dandy for me now with HTTPS mode in SCCM2012.
There are currently 1 users browsing this thread. (0 members and 1 guests)