I have a normal 2-tier PKI, with an offline Root authority and an online issuing certificate server. The online one is unfortunately installed on a domain controller (2003). I have longer term plans to replace the entire PKI as it contains a business entity name that no longer exists, but for the time being I have a requirement to get that old domain controller out of operation.
I know I cannot demote a domain controller that has a certificate authority installed on it. Can I take an approach similar to the Active Directory Certificates Migration Guide (http://technet.microsoft.com/en-us/library/ee126170(v=WS.10).aspx) to back up all my CA information, uninstall the cert services, demote the controller, reinstall the services and restore the configuration (in effect, migrate back to the same box) and expect success? I use certificates for authentication both on 802.1x network connectivity and VPN clients, so I don't really want to interrupt this too much.
In the end the source server will still host the CRL, still have certificate services, and have the same name. Is there any reason this wouldn't be a reasonable approach to do this and still have the box functional but remove the DC component? The only application left on this server would be certificate services, and I could work on my new PKI going into later in the year so I can stay focused on moving my old domain controllers out of the environment.
Any input is appreciated!
- Vo