We currently have one offline standalone root certificate authority and one enterprise issuing certificate authoritythat are both running Windows Server 2003 Enterprise Edition Service Pack 2. Our current plan is to replace each with a new Server 2012
R2 machine replicating the same set up. We plan on backing up the CA databases, private key, template list, algorithm and CSP and then importing them on the new replacement server. Our initial plan is to use new host names for both servers, which from what
I can see complicates things. I planned on editing the registry file exported from the original servers to change and references to old servers before importing, but I'm concerned that this will still cause problems. Specifically with the CRL Distribution
Points (CDP) and the Authority Info Access (AIA) locations. We have two CDPs (one for each CA) and each CDP contains the name of the machine name that it is a part of. The CDPs from issued certificates point directly towards URL=http://IssuingCAFQDN/CertEnroll/IssuingCA.crl
and the AIA does something similar by pointing towards URL=http://IssuingCAFQDN/CertEnroll/IssuingCAFQDN_IssuingCA.crt.
A few questions based on that I have found so far:
Will certificates issued by the existing issuing CA have problems if the new issuing CA has a different machine name and the older server no longer exists in DNS or AD?
Will adjustments need to be made inside of Active Directory Sites and Services > Services > Public Key Services beyond permission related changes to ensure that the new servers have access to the necessary objects?
Will the names of the containers within Active Directory Sites and Services > Services > Public Key Services > CDP remain as they are after the upgrade? Currently the CDP container has two child containers. One is named the same as the root CA (CN=RootCA) and the other is named the same as the issuing CA (CN=IssuingCA), or are these just names of the objects in active directory and not tethered to the servers that share the same name?
Is it recommended to retain the same machine names instead of using new machine names?
From reading this (http://blogs.technet.com/b/xdot509/archive/2011/11/17/upgrading-your-pki-from-windows-server-2003-to-windows-server-2008-r2-part-ii-upgrade-considerations.aspx), we will need to edit the CDP and AIA paths and reissue all certificates if we utilize new host names (due to the fact that the paths that exist in the CA utilize the names of the existing CAs). Has anyone encountered that before?
A few questions based on that I have found so far:
Will certificates issued by the existing issuing CA have problems if the new issuing CA has a different machine name and the older server no longer exists in DNS or AD?
Will adjustments need to be made inside of Active Directory Sites and Services > Services > Public Key Services beyond permission related changes to ensure that the new servers have access to the necessary objects?
Will the names of the containers within Active Directory Sites and Services > Services > Public Key Services > CDP remain as they are after the upgrade? Currently the CDP container has two child containers. One is named the same as the root CA (CN=RootCA) and the other is named the same as the issuing CA (CN=IssuingCA), or are these just names of the objects in active directory and not tethered to the servers that share the same name?
Is it recommended to retain the same machine names instead of using new machine names?
From reading this (http://blogs.technet.com/b/xdot509/archive/2011/11/17/upgrading-your-pki-from-windows-server-2003-to-windows-server-2008-r2-part-ii-upgrade-considerations.aspx), we will need to edit the CDP and AIA paths and reissue all certificates if we utilize new host names (due to the fact that the paths that exist in the CA utilize the names of the existing CAs). Has anyone encountered that before?