Enterprise CA for us? hardware migartion of enterprise Root CA

G

Guest

We are a small firm:
13 servers, 2 locations connected via a private T1, 65 users, one W2K3
Native Domain.

I am looking at installing a PKI infrastructure. After digging around I
have decided to install an enterprise CA and plan on leaving my CA online
fulltime. It will also act as a domain controller etc. The certs will be
used primaily for wireless access, Ipsec VPN, and possibly SSL.

Given the size of our organization I believe an enterprise CA will be
suffient and leaving it online is OK. Our network is behind a locked down
ISA 2004 box so the odds being comprimized are fairly small. Is my plan OK?

Thanks,
Bob
 
G

Guest

The second part of my question is whether is:

2. On of my biggest concerns is upgrading/replacing the hardware of the CA.
I am planning on swapping out the server in the next couple of months by
transfering FSMO, DCPromo the server down, rebuild (with the same
netbiosname), dcpromo backup etc. How will this affect the CA part of the
server? Can I simply export/import the Certs?

Thanks,
Bob
 
S

Steven L Umbach

Ideally the root CA will be offline and not installed on a domain controller
but in the real world small networks often do as you describe. What I would
suggest is that your domain controller be physically secured to some degree.
The risk is not so much from outside your network but from within it. For
example a malicious user that has full physical access to a CA could
possibly issue himself some certificates for unauthorized access by himself
or others. You have to decide on whether that is a risk or not for you and
what to do to manage that risk. --- Steve
 
S

Steven L Umbach

The link below explains what you need to do for transferring a CA to another
computer including how to backup current CA certificate/private key and
certificates.

http://support.microsoft.com/?id=298138

Your plan is going to have a degree of complexity because the new CA server
must have the same name as the old CA server and it is a domain controller.
What might work is do add/use another domain controller to your network,
transfer all the FSMO roles and global catalog to it and adjust tcp/ip for
domain computers so that they have the IP address of the new dc for dns.
After you are satisfied that the new dc is working correctly by using
support tools such as netdiag, dcdiag, and looking at the logs in Event
Viewer for problems then remove certificate services from the old dc [after
backing up the CA and certificates as described in KB298138] and dcpromo it.
Then build your new server with the same name as the old server, dcpromo it,
and then transfer CA to it per KB298138. Before attempting this be sure to
have a fresh System State backup of your domain controllers for a rollback
plan in case things do not work as expected. --- Steve
 
G

Guest

Fortunately I have numerous DCs already whch I can trasnfer FSMOs to!

Thanks again,
Bob

Steven L Umbach said:
The link below explains what you need to do for transferring a CA to another
computer including how to backup current CA certificate/private key and
certificates.

http://support.microsoft.com/?id=298138

Your plan is going to have a degree of complexity because the new CA server
must have the same name as the old CA server and it is a domain controller.
What might work is do add/use another domain controller to your network,
transfer all the FSMO roles and global catalog to it and adjust tcp/ip for
domain computers so that they have the IP address of the new dc for dns.
After you are satisfied that the new dc is working correctly by using
support tools such as netdiag, dcdiag, and looking at the logs in Event
Viewer for problems then remove certificate services from the old dc [after
backing up the CA and certificates as described in KB298138] and dcpromo it.
Then build your new server with the same name as the old server, dcpromo it,
and then transfer CA to it per KB298138. Before attempting this be sure to
have a fresh System State backup of your domain controllers for a rollback
plan in case things do not work as expected. --- Steve

Bob Williamson said:
The second part of my question is whether is:

2. On of my biggest concerns is upgrading/replacing the hardware of the
CA.
I am planning on swapping out the server in the next couple of months by
transfering FSMO, DCPromo the server down, rebuild (with the same
netbiosname), dcpromo backup etc. How will this affect the CA part of the
server? Can I simply export/import the Certs?

Thanks,
Bob
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Migrate Enterprise root authority CA to stand-alone root CA 0
OpenOffice.org Newsletter (02/2004) 3
Dump of perfection Test 1
FWT Newsletter - Weekly - December 29, 2003 3
Windows Defender Chat Transcript 6
History of Xbox 360 defects - Dean Takahashi has the inside story(long) 2
OpenOffice.Org Newsletter - Vol. 01 Issue 9 3
FWT Newsletter - Weekly - September 13, 2004 1

Top