Originally it was set up just to give Exchange 03 OWA a cert. Then we started using it for our Wireless Radius authentication. That's all it's used for. I've been doing a lot of Googling and reading and found a lot of ways to move it, decommission it, etc. But none are all that simple, especially if you want to move it to a server with a different name. I'm starting to come to the conclusion it may just be simpler to revoke/remove from existing server and set up a new one. But it looks like there's still a ton of cleanup to do in AD after the fact. Microsoft has migration tools for almost everything it seems but CA's. I've just done so little work with this and wanted to make sure I understand it enough to dig myself out if I break something.
________________________________ From: Ken Schaefer [mailto:[email protected]] Sent: Thursday, February 24, 2011 8:32 PM To: NT System Admin Issues Subject: RE: Multiple Root CA's in same domain? Oh wow J What are you using certificates for? That's got to be your first question. If you just issue a handful of authentication certs and you don't care if your Root CA is every compromised, then just setup another one. As long as it's an Enterprise CA (Microsoft's term for AD integrated), then the CA's signing cert will be added to all domain joined members as a trusted root CA. You need to use Windows Server Enterprise Edition if you want to edit certificate templates. If you are somewhat worried about the impact of revoking and reissuing your root CA's cert in the event of compromise, I strongly suggest you get the MS Press PKI book (http://www.amazon.com/Windows-Server-Certificate-Security-PRO-Other/dp/ 0735625166/) by Brian Komar. You will gain a good insight into how PKI is supposed to work, and a better idea of reference architecture (e.g. having a root CA and a separate issuing CA, and why). Then you can make an informed decision on where you want to compromise on that reference architecture (e.g. it's not worth dividing these two roles). Cheers Ken From: N Parr [mailto:[email protected]] Sent: Friday, 25 February 2011 7:28 AM To: NT System Admin Issues Subject: Multiple Root CA's in same domain? The reason I ask is I'm migrating my Radius for Cisco Wireless Authentication from 03 to NPS on 08R2. My existing Root CA is on my Exchange 03 server which is next on my list to get migrated to exchange 2010 and go away. Existing Radius server is using existing Exchange server as CA. Can I just set up a new Root CA on my 08R2 server that will be running NPS? If so should it be Enterprise or Standalone, new private key, etc? Right now when I create the new wireless policy in NPS it wants to grab a cert from my old exchange box. If I can set up a new Root CA will NPS automatically use the new local CA? Thanks Niles ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
