Announcement

Collapse
No announcement yet.

Create new CA on Win2008 or renew and move from Win2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Create new CA on Win2008 or renew and move from Win2003

    With your help I would like to know the safest/easiest way to acheive getting the root CA onto my Server 2008 Std SP2.

    I currently have CA on a Server 2003 but it's expired so the cert server service will not start. The service will start but then stop with an error code. Looking that code up it points to the certificate being expired and people resolve this by renewing the certificate.

    What I would like to know is, since it's expired and not handing out certificates anyway, can I just create a new CA from scratch on my 2008 server. It will have a different server name so certificates would have to be renewed to pc's anyway, I would imagine. Or, am I supposed to renew the certificate (and renew my subordinate CA server) and then follow the steps of moving to a new CA? I can't rename the currently expired root CA server name. I was just going to demote it and join it to a child domain.

    Please anyone advise on the proper steps I should take. I am new to CA and don't know any/all processes/problems. Thank you!!

  • #2
    Re: Create new CA on Win2008 or renew and move from Win2003

    It would help to know what size of company you have, number of users and what types of certificates you need to issue before making a definitive recommendation.

    Best practice though is a Standalone Root (Not a Domain Member, and offline except when required) with one or more tiers of Enterprise Subordinate CAs depending on your needs.

    This link is the Microsoft Server 2003 Best Practices guide. I know you're using 2008, but not much has changed in terms of implementation or design best practices. We used it in the office to do our new PKI after migrating to 2K8.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Create new CA on Win2008 or renew and move from Win2003

      The enterprise root CA would be here on a forest root domain controller. There are between 250 & 300 machines in this office. Then in 3 remote sites serving 5 pc's in one, 20 in another, and 100 in another office by a subordinate CA at each site.

      It's for a device control server I have that requires an enterprise CA for it to contact to set device (usb drives, peripherals, etc) policy controls on the machines.

      So since the current CA is expired I was wondering if I could start from scratch, or do I really need to renew the existing one and and renew the sub CA's and then move it to the 2008 server? From other reading it appears that the CA would have to issue new certificates anyway since the current one has expired (that was the way I understood the reading) so since it would have to do that I thought that just creating the new enterprise root CA would be the easiest option.

      Please let me know what you think. Thank you.

      Comment


      • #4
        Re: Create new CA on Win2008 or renew and move from Win2003

        I'd start from scratch with an offline stand-alone root, then an online enterprise subordinate in head office. Moving a CA is more hassle than it's worth, when we migrated to Server 2008 we just created a new CA from scratch.

        The Best Practices guide I linked to previously was invaluable when we did this, so is well worth downloading.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment

        Working...
        X