No announcement yet.

Certificate Authority Issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Authority Issue

    Hi All,

    I currently have an issue with Certificate Authority i hope someone can help me with.

    I currently have a root CA server installed on a 2008 R2 DC i want to rebuild (bad practice having a CA on a DC I know but I inherited it).

    I have build another root CA server running 2012 Data center and added it to the environment.

    The intention was to revoke certificates from the 2008 CA and allow the 2012 CA to issue new certificates as most of the certificates are either for the DC's issued via auto enrollment.

    I have put together a test environment to test this to see how revoking certificates would work.

    As CA seems to be a bit of a dark art i have been reading as much as possible and it seems the best way to revoke certificates is via the online responder which is not currently setup in the live or test environments, i have tested using the CRL but this does not seems to be revoking the auto enrollment certificate on my test DC.

    For info CRL overlap is set to 24 hours and CRLDelta set to 12 hours with CRL publication interval on 2 hours and publish delta CRL on 1 hour.

    If anyone could provide some insight on how i am best to proceed or something I have missed it would be very much appreciated.

    Thanks in advance


  • #2
    Re: Certificate Authority Issue

    It is easier to remove the templares on the old CA and let it fade away as client/machine certs expire.Then you can simply remove I from the fleet...
    Rules of life:
    1. Never do anything that requires thinking after 2:30 PM
    2. Simplicity is godliness
    3. Scale with extreme prejudice

    I occasionally post using a savantphone, so please don't laugh too hard at the typos...