Click here to get back home

Demote Root CA to subordinate - lose existing certs?
 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Demote Root CA to subordinate - lose existing certs? CH 02-26-2008
Get Chitika Premium
Posted by CH on February 26, 2008, 11:28 pm
Please log in for more thread options
 With my limited understanding of Certificate Services (until now - hopefully
I'm learning!), I realize that sometime in the past I have created multiple
Enterprise Root CAs in the organisation. I have now read that this is OK,
but not desirable.

I'd like now to demote one rootCA back to an Ent Subordinate CA and retain a
single RootCA, and I'm guessing this is going to involve uninstalling CertSvc
and reinstalling on the machine being "demoted".

My big concern is the existing certs that have already been issued by that
CA - apart from it's own, it has issued Dom Controller certs for another 4
DCs.

How best can I handle this?
Can I uninstall/reinstall CertSvc without affecting the DCs who have certs
issued by this machine?

Any help would be much appreciated,
Cam

Posted by Brian Komar \(MVP\) on February 27, 2008, 11:19 am
Please log in for more thread options
 You will have to reinstall and replace the DC certificates.
But, this is easy.
certutil -dcinfo deletebad
(after the last CRL is expired)
Alternatively, run "certutil -dcinfo deleteall"
This will cause all DCs in the domain to replace their DC cert with an
updated certificate
Brian

> With my limited understanding of Certificate Services (until now -
> hopefully
> I'm learning!), I realize that sometime in the past I have created
> multiple
> Enterprise Root CAs in the organisation. I have now read that this is OK,
> but not desirable.
>
> I'd like now to demote one rootCA back to an Ent Subordinate CA and retain
> a
> single RootCA, and I'm guessing this is going to involve uninstalling
> CertSvc
> and reinstalling on the machine being "demoted".
>
> My big concern is the existing certs that have already been issued by that
> CA - apart from it's own, it has issued Dom Controller certs for another 4
> DCs.
>
> How best can I handle this?
> Can I uninstall/reinstall CertSvc without affecting the DCs who have certs
> issued by this machine?
>
> Any help would be much appreciated,
> Cam


Posted by CH on February 27, 2008, 4:56 pm
Please log in for more thread options
Thank you Brian.

What's the correct sequence to follow? Do I :
1. Uninstall CS on the "root-to-be-demoted". then
2. Reinstall CS on same machine, selecting as an EntSubCA, then
3. Run "certutil -dcinfo deleteall" ?
Or do I run the deleteall before uninstalling CS?

Can I control which CA will issue the new DC certs?
I'd prefer they come off the new SubCA, rather than the single RootCA that
is to remain (ie subs do all the issuing).

Thanks again,
Cam


"Brian Komar (MVP)" wrote:

> You will have to reinstall and replace the DC certificates.
> But, this is easy.
> certutil -dcinfo deletebad
> (after the last CRL is expired)
> Alternatively, run "certutil -dcinfo deleteall"
> This will cause all DCs in the domain to replace their DC cert with an
> updated certificate
> Brian
>
> > With my limited understanding of Certificate Services (until now -
> > hopefully
> > I'm learning!), I realize that sometime in the past I have created
> > multiple
> > Enterprise Root CAs in the organisation. I have now read that this is OK,
> > but not desirable.
> >
> > I'd like now to demote one rootCA back to an Ent Subordinate CA and retain
> > a
> > single RootCA, and I'm guessing this is going to involve uninstalling
> > CertSvc
> > and reinstalling on the machine being "demoted".
> >
> > My big concern is the existing certs that have already been issued by that
> > CA - apart from it's own, it has issued Dom Controller certs for another 4
> > DCs.
> >
> > How best can I handle this?
> > Can I uninstall/reinstall CertSvc without affecting the DCs who have certs
> > issued by this machine?
> >
> > Any help would be much appreciated,
> > Cam
>
>

Posted by Brian Komar \(MVP\) on February 27, 2008, 8:18 pm
Please log in for more thread options
Answers inline...
> Thank you Brian.
>
> What's the correct sequence to follow? Do I :
> 1. Uninstall CS on the "root-to-be-demoted". then
> 2. Reinstall CS on same machine, selecting as an EntSubCA, then
> 3. Run "certutil -dcinfo deleteall" ?


This would be the correct order.

> Or do I run the deleteall before uninstalling CS?
Nope, since this instigates a re-enrollment. Wait until you have your subca
available.
>
> Can I control which CA will issue the new DC certs?
You should publish the Domain Controller and Domain Controller
Authentication certs at the subCA only.

> I'd prefer they come off the new SubCA, rather than the single RootCA that
> is to remain (ie subs do all the issuing).

Following best practices, the root CA would be an offline, standalone CA and
would never be on the network to issue DC certs

>
> Thanks again,
> Cam
>
>
> "Brian Komar (MVP)" wrote:
>
>> You will have to reinstall and replace the DC certificates.
>> But, this is easy.
>> certutil -dcinfo deletebad
>> (after the last CRL is expired)
>> Alternatively, run "certutil -dcinfo deleteall"
>> This will cause all DCs in the domain to replace their DC cert with an
>> updated certificate
>> Brian
>>
>> > With my limited understanding of Certificate Services (until now -
>> > hopefully
>> > I'm learning!), I realize that sometime in the past I have created
>> > multiple
>> > Enterprise Root CAs in the organisation. I have now read that this is
>> > OK,
>> > but not desirable.
>> >
>> > I'd like now to demote one rootCA back to an Ent Subordinate CA and
>> > retain
>> > a
>> > single RootCA, and I'm guessing this is going to involve uninstalling
>> > CertSvc
>> > and reinstalling on the machine being "demoted".
>> >
>> > My big concern is the existing certs that have already been issued by
>> > that
>> > CA - apart from it's own, it has issued Dom Controller certs for
>> > another 4
>> > DCs.
>> >
>> > How best can I handle this?
>> > Can I uninstall/reinstall CertSvc without affecting the DCs who have
>> > certs
>> > issued by this machine?
>> >
>> > Any help would be much appreciated,
>> > Cam
>>
>>


Similar ThreadsPosted
Demote first DC in a Windows 2003 domain. What happens to the certs? March 3, 2008, 10:43 pm
GPO for trusted root CA certs November 7, 2006, 8:12 am
Re: Subordinate CA server renewal with an online CA root server July 17, 2008, 8:48 am
Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ? March 26, 2008, 6:20 am
Child domain laptops autoenrolling user certs but not computer certs May 21, 2008, 4:19 pm
Problem with Machine Certs being used as User Certs June 15, 2005, 7:06 am
Re: Admin access to roaming profiles (existing folders) November 19, 2007, 11:32 am
Re: Admin access to roaming profiles (existing folders) November 19, 2007, 11:20 am
Migrate Enterprise root authority CA to stand-alone root CA December 13, 2005, 7:57 am
Urgent - Subordinate CA certificate expired April 2, 2007, 12:04 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap