+2 for the thanks. I just have the three VPN certs issued. I will still follow the KB pretty much - after I can get the laptops certs replaced and tested on the bench. Right now they are all out in the field.
Devin On Wed, Oct 1, 2008 at 3:29 PM, Mike French <[EMAIL PROTECTED]>wrote: > I thought if I followed this thread long enough I would get an answer to > a question I had (but not posted) for awhile. I too have an Old DC with > cert services installed (enterprise CA) from a previous admin. We are > not using it for anything. No client or apps are renewing certs from it > etc... But, I was a little apprehensive at removing it before finally > dcpromoing the box out of existence. Your response just reinforced what > I have been researching, so thanks Troy! > > > -----Original Message----- > From: Troy Meyer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 01, 2008 3:10 PM > To: NT System Admin Issues > Subject: RE: Two Enterprise Root CA's > > Devin, > > That last KB should work just fine, but its OVERLY uptight. Existing > certs wont hurt the laptops if they remain valid and if you don't have > services that look at that CA, they aren't doing anything. With three > clients revoking them and continuing to publish a CRL is no big deal, > but with many it may become a troublesome un-needed effort. > > I would create the GPO that assigns the new CA to the trusted > authorities, re-create any policies and templates on the new CA (doesn't > sound like you have many), and then finally alter any services that used > those certs (RAS, IAS, etc). Then as long as no enterprise services > depend on certificates from the old CA, uninstall cert services and > decommission the machine. > > Good Luck > > Troy > > > -----Original Message----- > From: Devin Meade [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 01, 2008 12:20 PM > To: NT System Admin Issues > Subject: Two Enterprise Root CA's > > I posted this when NTSYSADMIN list was on spamcop and am reposting > now... > > Group, > > We have two Enterprise Root CA's and need to remove one. The one I want > to remove has only three computer certificates issued via an auto > enrollment Group Policy, for VPN. > > After some googling, I see that I might be able to start the Cert > Authority MMC on the bad CA, navigate to Certification Templates, then > delete all of them. This should force the machines to renew them on the > other root CA server. > > I ran certutil per http://support.microsoft.com/kb/555529 to find that I > have two of these. > Per http://forums.techarena.in/microsoft-security/934673.htm and > http://groups.google.com/group/microsoft.public.windows.server.security/ > browse_thread/thread/af6cb6614c34f88f/5414636b3d971257?hl=en&lnk=st&q=de > lete+%22enterprise+root+ca%22#5414636b3d971257 I can delete all > templates and let them expire. > > This seems very heavy handed. Is this a safe way to proceed? This is > an Enterprise Root CA for a 2003 Active Directory. > > I only have three certs to replace, I wonder if I can just revoke them > one-by-one while I have the laptops in my possession, stop the cert > service on the bad CA, then let the GPO issue a new computer cert on the > good CA. Then after the three certs are reissued, uninstall Cert > Services from the bad server (decomission it via > http://support.microsoft.com/kb/889250). > > -Devin > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > -- Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
