Adding new root/enterprise CA without disturbing existing one?
Having dealt with the same scenario, here's an overview of the approach that I took:
Get the new environment up and running, but don't give it any ability to issue certificates - use LoadDefaultTemplates=False
in your capolicy.inf.
While the devices are still set to not issue any templates, get everything squared away with the new environment, AIA locations, CRL distribution, etc. Check health of all with the Enterprise PKI snap-in.
Then, when you're ready, alter the config of the existing CA to stop issuing certificates for certain templates. You aren't killing the server yet, just telling it to stop issuing new certs. Add those same templates to the allowed issuance policies of your new environment.
Then, use the "re-enroll certificate holders" option on the template management tool for the templates that have certificates out there and are auto-enrolled (user, computer, and domain controller certs). This will bump the template version and cause them to grab a new certificate from the new infrastructure when their autoenroll pulses.
This will cover you for those certs, but for web server certs it'll unfortunately be a manual process. Re-issue for each, and change listeners to the new certs.
Once you're fairly confident that you've got all the certificates re-issued, cripple the old CA but don't remove the role yet. Do something along the lines of removing all AIA or CRL distribution points in the CA's configuration, then deleting the files/objects from those locations (LDAP is probably the main one, but http and smb need checking too). Wait for issues for a few weeks; when something breaks, you can re-add the AIA/CRL points that you deleted and re-publish (certutil -dspublish
) if needed.
Once you're satisfied that nothing's using the old CA anymore, remove the role, then clean up Active Directory. The AIA, CRLs, and delta CRLs need a manual delete, which you can do in the "Manage AD Containers" option in the Enterprise PKI snap-in.
Yasha
Updated on September 18, 2022Comments
-
Yasha almost 2 years
I am using the following code snippet
lxDate= #1/1/1970# GetUnixDate = CType(DateDiff("S", lxDate, pDate), Int32)
where pDate is the date entered by user and its in the format mm/dd/yyyy e.g. #12/24/2014# This retrieves unix date correctly.However on one particular machine the output is one sec less than the required date. That is the unix timestamp when converted results in the previous date. For e.g Sat, 18 Dec 2004 23:59:59 GMT is retrieved when the desired result is
Sun, 19 Dec 2004 00:00:00 GMT-
uSlackr about 13 yearsI would think you wouldn't want the confusion of having two (even if it is supported which isn't likely.) Why not team with the owner of the other server to support what you need.
-
ewall about 13 yearsThe difficulty is that the old/existing CA was installed on a production web server used for many other things--we can't remove it from the domain, rename it, etc as M$ recommends even for migrating to a new CA.
-
Jon Skeet over 9 yearsI would personally suggest subtracting one
DateTime
from the other and using theTotalSeconds
property of the resultingTimeSpan
. Things likeDateDiff
are more for backwards compatibility with VB6 than as a modern way of doing things in .NET. That said, your question is somewhat unclear - the result isn't aDateTime
, it's an integer... so how can you say the result is a particularDateTime
? It would be helpful if you could show a short but complete program demonstrating the problem (on that one machine). -
Yasha over 9 yearsWell you are right the output is an integer, It gives the unixtimestamp. For the particular case the unix timestamp retreived was 1418860799 this can be convereted to date .You can use the following link onlineconversion.com/unix_time.htm it results in 17-dec-2014 23:59:59 however the required timestamp is 1418860800 it results in 18-dec-2014 00:00:00 Thus a lag of 1 sec is observed
-
Jon Skeet over 9 yearsRight. That makes more sense, and you should include that information in your question, along with a short but complete program showing it.
-
-
ewall about 13 yearsGreat answer, thank you--that will get me well on my way to making it happen. Also, I got some good news last night and found out that the old/existing CA server is slated to be decommissioned or repurposed in November, which should make the transition easier.
-
Yasha over 9 yearsIs there a method to check if the FPU control has been altered?
-
Hans Passant over 9 yearsThe return value of _controlfp(0, 0) should be &H8001F in a .NET program.
-
Chuck Walbourn over 9 yearsNote that only Direct3D 9 and prior alter the x87 FP control word. Direct3D 10 and later never do that. With Direct3D 9, you can prevent this behavior using
D3DCREATE_FPU_PRESERVE
. Changing the fp control word globally is general bad behavior and highly likely to lead to problems. See this article for some details.