Hey all,
I have been pretty busy latly, but I'm ready to take on this CA rebuild plan.
Here's the scenario we currently have a Root (Enterprise) CA that hosts most of your certificates internally, on our Edge server we use verifisign certs, so I'm not to worried there.
I want to sort of follow this, but I want to have a new Common Name, and as shown in the comments this has to be done via building a CA from scratch.
So I built a test enviro and sure enough I removed the CA role from the initial CA, and built it anew on a fresh built Server 2008 R2 server. After rebuilding I can see the New Root CA Cert being installed on workstations machines, I was even able
to request new certs on Lync 2013 server and reassign without issue, on a new sha1RSA based certs. This is good. I also noted that when viewing a workstations users personal cert store that a cert was there signed by the CA with the user SIP address.. I believe
this is what was causing the events to populate on my Lync Server. (see below)
I'm concerned about other services while now I think of it I don't see what else this would disrupt since most third party appliances/services run usually do so with self signed certs (I plan to change this to get them hopefully to run of certs signed by this new CA).
The main reason for this is cause I get Events on my Lync Server "GetnPublish Web Service" events which research led me to one technet fourm where it was determined to be due by a bad CA setup, Lync requires sha1RSA, and we were using sha1DSA.
Now in my production enviro I have not removed the CA role from the current CA that is signing Certs using sha1DSA, and I'm runnign the CA role installment on the new server to see what the options are, I get up to type and I can select the option of a Root CA... how does this work when theres already a Root CA configured?