Adding new root/enterprise CA without disturbing existing one?

active-directory certificate-authority ad-certificate-services windows
133

Having dealt with the same scenario, here's an overview of the approach that I took:

Get the new environment up and running, but don't give it any ability to issue certificates - use LoadDefaultTemplates=False in your capolicy.inf.

While the devices are still set to not issue any templates, get everything squared away with the new environment, AIA locations, CRL distribution, etc. Check health of all with the Enterprise PKI snap-in.

Then, when you're ready, alter the config of the existing CA to stop issuing certificates for certain templates. You aren't killing the server yet, just telling it to stop issuing new certs. Add those same templates to the allowed issuance policies of your new environment.

Then, use the "re-enroll certificate holders" option on the template management tool for the templates that have certificates out there and are auto-enrolled (user, computer, and domain controller certs). This will bump the template version and cause them to grab a new certificate from the new infrastructure when their autoenroll pulses.

This will cover you for those certs, but for web server certs it'll unfortunately be a manual process. Re-issue for each, and change listeners to the new certs.

Once you're fairly confident that you've got all the certificates re-issued, cripple the old CA but don't remove the role yet. Do something along the lines of removing all AIA or CRL distribution points in the CA's configuration, then deleting the files/objects from those locations (LDAP is probably the main one, but http and smb need checking too). Wait for issues for a few weeks; when something breaks, you can re-add the AIA/CRL points that you deleted and re-publish (certutil -dspublish) if needed.

Once you're satisfied that nothing's using the old CA anymore, remove the role, then clean up Active Directory. The AIA, CRLs, and delta CRLs need a manual delete, which you can do in the "Manage AD Containers" option in the Enterprise PKI snap-in.

Share:
133
Yasha
Author by

Yasha

Updated on September 18, 2022

Comments

  • Yasha
    Yasha almost 2 years

    I am using the following code snippet

    lxDate= #1/1/1970#
GetUnixDate = CType(DateDiff("S", lxDate, pDate), Int32)

    where pDate is the date entered by user and its in the format mm/dd/yyyy e.g. #12/24/2014# This retrieves unix date correctly.However on one particular machine the output is one sec less than the required date. That is the unix timestamp when converted results in the previous date. For e.g Sat, 18 Dec 2004 23:59:59 GMT is retrieved when the desired result is
    Sun, 19 Dec 2004 00:00:00 GMT

    • uSlackr
      uSlackr about 13 years
      I would think you wouldn't want the confusion of having two (even if it is supported which isn't likely.) Why not team with the owner of the other server to support what you need.
    • ewall
      ewall about 13 years
      The difficulty is that the old/existing CA was installed on a production web server used for many other things--we can't remove it from the domain, rename it, etc as M$ recommends even for migrating to a new CA.
    • Jon Skeet
      Jon Skeet over 9 years
      I would personally suggest subtracting one DateTime from the other and using the TotalSeconds property of the resulting TimeSpan. Things like DateDiff are more for backwards compatibility with VB6 than as a modern way of doing things in .NET. That said, your question is somewhat unclear - the result isn't a DateTime, it's an integer... so how can you say the result is a particular DateTime? It would be helpful if you could show a short but complete program demonstrating the problem (on that one machine).
    • Yasha
      Yasha over 9 years
      Well you are right the output is an integer, It gives the unixtimestamp. For the particular case the unix timestamp retreived was 1418860799 this can be convereted to date .You can use the following link onlineconversion.com/unix_time.htm it results in 17-dec-2014 23:59:59 however the required timestamp is 1418860800 it results in 18-dec-2014 00:00:00 Thus a lag of 1 sec is observed
    • Jon Skeet
      Jon Skeet over 9 years
      Right. That makes more sense, and you should include that information in your question, along with a short but complete program showing it.
  • ewall
    ewall about 13 years
    Great answer, thank you--that will get me well on my way to making it happen. Also, I got some good news last night and found out that the old/existing CA server is slated to be decommissioned or repurposed in November, which should make the transition easier.
  • Yasha
    Yasha over 9 years
    Is there a method to check if the FPU control has been altered?
  • Hans Passant
    Hans Passant over 9 years
    The return value of _controlfp(0, 0) should be &H8001F in a .NET program.
  • Chuck Walbourn
    Chuck Walbourn over 9 years
    Note that only Direct3D 9 and prior alter the x87 FP control word. Direct3D 10 and later never do that. With Direct3D 9, you can prevent this behavior using D3DCREATE_FPU_PRESERVE. Changing the fp control word globally is general bad behavior and highly likely to lead to problems. See this article for some details.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Domain Controller promotion and certificate autoenrollment
Removing LDAP from CDP & AIA in a Microsoft PKI
AD CS: Certificate Template not available
CA and Primary Domain Controller on the same server
Windows 2008 R2 CA and auto-enrollment: how to get rid of >100,000 issued certificates?
Distribution of root certificate with Windows AD Certificate Services
Joining an Active Directory domain using netdom
How to get user password expiration date from Active Directory?
Domain Suffix added to DNS Queries
Using powershell I'd like to get a list of people who have admin privileges for a domain?