Move 2000 Certificate server to 2003 on new hardware

G

Guest

Currently using Windows 2000 stand-alone certificate server (member server)
for OWA and a couple of other internal (non-critical) apps that require SSL
certificate.
Plan is to retire this hardware and install certificate server on new
hardware using Windows Server 2003.
I have reviewed the microsoft article regarding migrating certificate
services, but we really do not need to perform a migration--we are perfectly
fine with issuing new certificates to the few apps that use it (plus the
hardware currently being used would not support Windows 2003)..... My plan is
to:
1) uninstall certificate services from current server.
2) install certificate services on new server.
3) Reissue certificates to the non-critical apps and OWA.
Are there any problems with this approach? Is there a more "graceful"
recommended approach to removal of the current certificate services server,
before installing the new certificate services server?
Thanks.
 
S

Steven L Umbach

If you have not problem reissuing new certificates wherever needed then go
for it. Your proposal is basically destroying your old PKI and building a
new one rather than maintain the current one on the new server which really
is not that difficult to do per the instructions in the KB article below
which maybe you were referring to. You will also need to make sure that all
computers involved trust the new CA. --- Steve

http://support.microsoft.com/?id=298138
 
G

Guest

Thanks for your response. Yes, I have no problem reissuing new certificates.
Yes, the document you referenced is indeed the MS article I was referring
to, and I agree that the process would not be difficult, however our
situation is not that straightforward....we are moving from windows 2000 to
windows 2003 and the existing hardware does not support an upgrade to windows
2003.
You mentioned that I would need to make sure all the computers involved
"trust the new CA". What steps do I need to take to ensure and verify this
trust?

Thanks again.....
 
S

Steven L Umbach

The certificate of the CA needs to be in the trusted CA store on the
computer that is trying use a certificate that the CA issued. You can see
the contents of such via the mmc snapin for certificates for user or
computer and looking in the folder for Trusted Root Certificate Authorities.
An Enterprise Ca would automatically be added for domain computers, you can
specify other certificates to add via Group Policy "computer"
configuration/Windows settings/security settings/public key policy settings,
and you can distribute the .cer file for the Certificate Authority to users
that need it and clicking it will start the certificate import wizard. You
can create a .cer file by selecting the certificate from a folder in the mmc
snapin for certificates and selecting all tasks - export. If you are using
Web Enrollment for certificate requests the CA certificate/chain can be
downloaded that way also. -- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How do you issue a new Root CA Certificate EXPIRATION? 0
Migrate Certificate Authority Server 2
Web Enrollment Certificate Request Denied 2
Question regarding issuing certificates to users 3
Certificate Request Denied over Web Enrollment 0
bug with efs on server 2003 5
Can MS Certificate Services create Subordinate CA Certificate? 2
Move Enterprise Root CA to new hardware 2

Top