We have L2TP/IPSec VPN clients (Win XP SP3) that connect using computer certs enrolled by Group Policy. The machines are out in the field during the cert's lifetime; many are far from the office. So auto-renew is not available because they're not booting connected to the LAN. They renew their certs by bringing the machines into the office once a year, connect to the LAN, and boot up. Group Policy can then renew the cert.
Step 1 in Microsoft's CA decommission instructions at http://support.microsoft.com/kb/889250 is to revoke all active certs. That's sure not what we want to do!
Is it possible to decommission a WS2003 R2 SP2 Enterprise Sub CA while leaving active certs that it issued valid?
Can the surviving CA be made responsible for managing the decommissioned CA's certs?
Alternatively, is there a way to script enrolling for a new Computer cert, or renewing an existing Computer cert, and force the machine to renew from a specific CA that will remain in advance of decomissioning the original CA? I can make that happen once for each machine automatically during VPN connections.
Step 1 in Microsoft's CA decommission instructions at http://support.microsoft.com/kb/889250 is to revoke all active certs. That's sure not what we want to do!
Is it possible to decommission a WS2003 R2 SP2 Enterprise Sub CA while leaving active certs that it issued valid?
Can the surviving CA be made responsible for managing the decommissioned CA's certs?
Alternatively, is there a way to script enrolling for a new Computer cert, or renewing an existing Computer cert, and force the machine to renew from a specific CA that will remain in advance of decomissioning the original CA? I can make that happen once for each machine automatically during VPN connections.