Re: Impact of removing only CA
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Wed, 22 Jul 2009 23:27:36 +0100
Hi
- Okay, first of all, is your policy alllowing EFS? Do you have KRAs defined?
- EFS can be problematic... There is no back door into EFS; if you lose the key(s) to it, you lose your data unless you've KRAs.
- If you remove the old CA the certs will stop working in their expire date. Some problems or errors that you migh see are related with CRLs and AIA. If you remove the public CA key from trusted root CAs the certs will not be trusted and will stop working as well.
- Removing a CA from a domain is something that you may need to consider carefuly before proceed.
- The additional options are: Migrate the CA to a new server (if possible a dedicated server that is not a DC), then stop issuing certs untill the expiration date comes, by doing that you'll have a CA to get those certs if needed and if you've a KRA defined.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"Chris" <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B8AE095B-F576-420B-A11E-08AD70D57443@xxxxxxxxxxxxxxxx
I did read through the online version of that document. I see that you can
migrate (keeping the CA name). But it doesn't discuss removing the old CA
entirely and what the impact would be. I also did not see any info about
transitiioning to an entirely new server with a new CA name. Let me know if
you think I missed something.
Chris
"Jorge Silva" wrote:
Hi
Read this
http://www.microsoft.com/downloads/details.aspx?FamilyID=C70BD7CD-9F03-484B-8C4B-279BC29A3413&displaylang=en
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"Chris" <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1A850FDB-F48A-461D-A5E1-4AE4BA876096@xxxxxxxxxxxxxxxx
>I currently have my CA installed on my Windows 2003 x86 Domain >Controller.
>I
> want to migrate my current DC to new hardware running Windows 2008 x64.
> At
> the same time I want to migrate my CA to a different server with > Windows
> 2008
> x64. We are not concerned with any certificates that we’ve manually
> issued
> for internal websites. We haven’t done much/any manual certificate
> publishing. But, we are concerned about clients that may have
> auto-enrolled
> with certificates.
>
> If we remove the CA and all certs residing on our current DC and then
> build
> a new CA server with a different name and “start over” with certificate
> services – should we be concerned about clients experiencing issues? I
> noticed that several EFS certificates show up as being published in the
> console, what happens for the users using those certificates?
.
- References:
- Impact of removing only CA
- From: Chris
- Re: Impact of removing only CA
- From: Jorge Silva
- Re: Impact of removing only CA
- From: Chris
- Impact of removing only CA
- Prev by Date: RE: Impact of removing only CA
- Next by Date: AD on XP/Limit Activities
- Previous by thread: Re: Impact of removing only CA
- Next by thread: RE: Impact of removing only CA
- Index(es):
Relevant Pages
|
Loading
