No announcement yet.

Certificate Authority Dead - How to replace?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Authority Dead - How to replace?

    We recently replaced our DCs for two Virtual Machines (running on ESX server).

    A backup was made of the CA, as we attempted to move it to a new dedicated server (i.e. not a VM DC!), that was on one of the DCs, but we created a new server with a different name and missed the section of the document we were reading that said that the new machine needs to have the same name.

    Our certificates are due to run out in a couple of weeks, and I have the task of getting the new CA working.

    How can I replace any CA that our AD believes to know about and build a new one? The ones we have doesn't want to issue certificates!

    Thanks Kindly in Advance for any answers you are able to offer.


  • #2
    Re: Certificate Authority Dead - How to replace?

    im not too sure on the name part, but if you post a link to the KB you followed (or kinda followed) that would help...

    if i understand the procedure, you can use the "certutil" utility to restore the CA keys and logs to whatever server you specify. you can use the following syntax to put in your specifics:
    certutil-restore[-f] [-gmt] [-seconds] [-v] [-configCAMachineName\CAName] [-pPassword] BackupDirectory

    if you dont specify the computer name, you will get a prompt to restore it to whatever authorized CA the schema points to...

    are you sure that you backed up the entire CA? like the keys, certs, and the database?

    if so, the restore should be strait foward. i dont want to send you to KBs youve already been to, but for verbosity:

    if you can verify that the above articles do not cover what your looking for, than reply with the place your stuck at, and we'll try to help further.
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...