I am working with a client that has a PKI issue. At some point in the past someone decided that they needed a CA and built two that were supposed to be for very limited use. Then a few projects came along that required certificates, the PKI ended up getting used quite a bit and there are hundreds (possibly a couple thousand) certs now in use their environment. Their current infrastructure was not necessarily designed with best practices in mind, and now they need a well-designed, scalable PKI.
I have some experience with PKI and we have a reasonable design for what the end-state should look like, but we're a little unclear on the details of how we will get there. The existing CAs are an Enterprise Root and an Enterprise Subordinate/Issuing CA. We want to have an standalone, offline root CA with Enterprise Subordinates/Issuing CAs. We do not want to recycle any existing servers.
In a perfect world I would say that we should stand up a parallel CA using an offline root and multiple Enterprise Subordinate CAs. Then we would prevent the existing CAs from issuing any new certificates, let the existing certificates expire, and then force the cert requests to go through the new CAs/PKI. Since the overwhelming majority of the existing certificates will be expiring in the next 5-6 months, this seems like a workable plan. Eventually we would retire/decommission the legacy CAs once the new CAs are carrying the entire load.
Anyone have any thoughts about this? I know that having two root CAs in a forest isn't advisable (from the standpoint of not having a single chain of authority), but it should only be for a relatively short period of co-existance and it should work.
I'm open to any suggestions.
________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator
I have some experience with PKI and we have a reasonable design for what the end-state should look like, but we're a little unclear on the details of how we will get there. The existing CAs are an Enterprise Root and an Enterprise Subordinate/Issuing CA. We want to have an standalone, offline root CA with Enterprise Subordinates/Issuing CAs. We do not want to recycle any existing servers.
In a perfect world I would say that we should stand up a parallel CA using an offline root and multiple Enterprise Subordinate CAs. Then we would prevent the existing CAs from issuing any new certificates, let the existing certificates expire, and then force the cert requests to go through the new CAs/PKI. Since the overwhelming majority of the existing certificates will be expiring in the next 5-6 months, this seems like a workable plan. Eventually we would retire/decommission the legacy CAs once the new CAs are carrying the entire load.
Anyone have any thoughts about this? I know that having two root CAs in a forest isn't advisable (from the standpoint of not having a single chain of authority), but it should only be for a relatively short period of co-existance and it should work.
I'm open to any suggestions.
________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator
