| Author |
Message |
RJ
Guest
|
 Posted:
Thu Feb 03, 2005 5:47 am Post subject:
Enterprise Root CA change |
|
|
I am running a Win2k enterprise root CA without subordinates CAs with a few
certificates issued. I would like to setup a new Win2k3 enterprise root CA
in the same Win2k3 Active directory domain.
Can I run these in parallel in the same domain?
Do I need to decomission the Win2k CA first before I install the new Win2k3
CA since it will start a new certificate chain?
Thanks, |
|
| Back to top |
|
 |
Mark Gamache
Guest
|
| Posted:
Thu Feb 03, 2005 6:48 am Post subject:
Re: Enterprise Root CA change |
|
|
This is likely your last change to build your PKI the right way. I'd
definitely recommend taking the time to do so. You really should have an
offline standalone Root CA and make the new one intermediate.
Seeing that you've only issued a few certs, there is no better time to
rework your hierarchy.
You can have multiple Root CAs if you want.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"RJ" <RJ@discussions.microsoft.com> wrote in message
news:ACEE0004-D61F-4474-9CFF-9A478D5798A4@microsoft.com...
| Quote: | I am running a Win2k enterprise root CA without subordinates CAs with a few
certificates issued. I would like to setup a new Win2k3 enterprise root
CA
in the same Win2k3 Active directory domain.
Can I run these in parallel in the same domain?
Do I need to decomission the Win2k CA first before I install the new
Win2k3
CA since it will start a new certificate chain?
Thanks, |
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Feb 03, 2005 6:48 am Post subject:
Re: Enterprise Root CA change |
|
|
If you want to replace your existing Enterprise CA to a new computer you can
not have them both on the network at the same time. There is way to move the
CA to a new computer by backing up the existing CA keys, certificate
database, and registry configuration to restore to the new computer after
taking the original CA offline but you can certainly have more then one
Enterprise CA in the domain, usually by creating "subordinate CA's" that
chain the root Enterprise CA you already have. The link below explains a way
to move a CA to another computer. For an Enterprise CA I would also
recommend that you name the new computer the same as the old computer [after
taking the old one offline] and then join it to the domain before doing the
move procedure. --- Steve
http://support.microsoft.com/?id=298138 --- how to move Windows Certificate
Authority.
"RJ" <RJ@discussions.microsoft.com> wrote in message
news:ACEE0004-D61F-4474-9CFF-9A478D5798A4@microsoft.com...
| Quote: | I am running a Win2k enterprise root CA without subordinates CAs with a few
certificates issued. I would like to setup a new Win2k3 enterprise root
CA
in the same Win2k3 Active directory domain.
Can I run these in parallel in the same domain?
Do I need to decomission the Win2k CA first before I install the new
Win2k3
CA since it will start a new certificate chain?
Thanks, |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in