Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bulding New CA 1

Status
Not open for further replies.

Neily

Programmer
Jul 27, 2000
342
GB
We replaced our DCs a while back, of which one of them was our CA as well.

We've still got the machine but obviously can't put it back on the domain.

We also no longer want the CA named what it is (i.e. the computer name!).

We attempted a backup and restore of the CA, but this wasn't done to a machine of the same name so we have ended up without a CA. We are now attempting to build a new CA to replace the old one, but when trying to get a IIS Web Certificate, we can't select the "send the request immediately to an online certification authority" and when doing the "prepare the request now, but send it later" option we can't get a .cer file to import into IIS to complete the certificate application.

So I'm looking for some advice about how to replace a CA but we have sites that require their certificates so we can't afford to mess this up and have downtime.

BTW - the CA we attempted to restore to has problems with templates but can see all issued and revoked (etc) certificates.

PLEASE HELP!!
 
1. Build the new CA and do not run the restore wiz. You will have to issue new certificates on the domain.
2. The symptoms make me think that it is not a domain member. The templates need to be published to AD if you are using an enterprise CA, but you must also purge the old templates from AD.
Microsoft has a doc that details how to decommission a CA. Name the Root CA Highlander, there can be only one and until that info gets released the DC will continue to look for it.

How to decommission a CA and remove all related objects.

certutil is a great tool. Should be loaded on the CA, if not install RKtools or admin pak. I think one of them has it. If not let me know and I'll send the package to you.

I think once you get rid of the old objects, then restart CA services the templates should populate. If not try this white paper for information.




Jim Bowen, MCSE, Network+
Carpe fermentum
 
That's what we thought, but it looks like some down time will need to be scheduled.

Can I run an idea past you though?

If I were to DCPROMO the old CA DC and thus remove AD from it, that should leave the box as a CA correct? Could I then re-connect it to the domain and have it active as the CA again?

If we want to replace a CA (assuming the above works) do we have to decommission the old one anyway and then issue new certificates? In which case we are better off doing as above.

I take it we have to remove the old one before installing the new one!

THANKS
 
Microsoft views more than one ROOTCA in a forest as "unsupportable". You can have multiple issuing CA's but only one root.

We had a DC running certificate services in our test lab. Everything went great until we started using CEP to get device certificates. DC's by nature do not like to have IIS running and it caused problems. If it were up to me and I had the time and resources I would decom the CA and rebuild from scratch. Who knows what can happen during the demotion of the DC and AD uninstall. You may end up with a chattering CA that wants to be the domain master browser. Anything can happen I guess.

Anytime a CA is removed permanently from the domain it is best practice to decommission it as well. Just when you think everything is working great, something will do a certificate status check and realize it is invalid. Then your whole domain goes down. The variables get too great at some point and best to just do it right...or never plan on a vacation.

Jim Bowen, MCSE, Network+
Carpe fermentum
 
Thanks once again for your reply.

We have talked about this this morning, and are going to schedule a night to come in and decomm all old CA's (there are still some listed in Sites & Services from before my time here!) and then build a new CA from scratch and issue new certificates!

THANKS
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top