Moving a Windows 2003 Standalone CA?
30 July 2008, 08:50 PM
#1
Scooby Regular
Thread Starter
iTrader: (3)
Join Date: Dec 1999
Location: UK
Posts: 13,274
Likes: 0
Received 0 Likes
on
0 Posts
Moving a Windows 2003 Standalone CA?
I know people say you can't or shouldn't, but I'm stuck with a job where this needs to be done.
There is this Microsoft article: How to move a certification authority to another server, but does anyone have any real world experience of this.
The original server is a standalone CA on a Windows 2003 Standard Edition server, which was a member of the domain, but located in the DMZ with access back to the LAN.
The replacement server will be a standalone CA on a Windows 2003 R2 Standard Edition server, which will be a member of the domain on the LAN.
We have tried to move it already, but the existing certificates which have already been issued and have not expired or been revoked, are unable to be recognised by the new server. There seems to be an issue with the key that is generating the new certificates, which seems to be different.
Does anyone have any bright ideas (other than retry the article again and hope it was a glitch, which will be doen first thing tomorrow)?
Cheers
Andy
There is this Microsoft article: How to move a certification authority to another server, but does anyone have any real world experience of this.
The original server is a standalone CA on a Windows 2003 Standard Edition server, which was a member of the domain, but located in the DMZ with access back to the LAN.
The replacement server will be a standalone CA on a Windows 2003 R2 Standard Edition server, which will be a member of the domain on the LAN.
We have tried to move it already, but the existing certificates which have already been issued and have not expired or been revoked, are unable to be recognised by the new server. There seems to be an issue with the key that is generating the new certificates, which seems to be different.
Does anyone have any bright ideas (other than retry the article again and hope it was a glitch, which will be doen first thing tomorrow)?
Cheers
Andy
30 July 2008, 09:43 PM
#3
Scooby Regular
Thread Starter
iTrader: (3)
Join Date: Dec 1999
Location: UK
Posts: 13,274
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for digging that out Hanley! 
We have been told catergorically that we can not reissue or revoke any certificates, as the general user population is not IT-savvy.
I'll suggest it, but I suspect I already know the answer
We have been told catergorically that we can not reissue or revoke any certificates, as the general user population is not IT-savvy.
I'll suggest it, but I suspect I already know the answer
31 July 2008, 08:39 PM
#6
Scooby Regular
Thread Starter
iTrader: (3)
Join Date: Dec 1999
Location: UK
Posts: 13,274
Likes: 0
Received 0 Likes
on
0 Posts
We tried it again today and it was spot on!
Only issue is that certificates being issued would work on XP, but not on Vista, as the web enrolment tool keeps saying loading activex
We have since found this: How to use Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008 which resolved that issue.
We then had issues with certificates issued to Vista machines would not work (even though on XP machine with the same process, it would work) It turns out that the CA is issuing 1024 bit certificates (which work on XP, but not Vista). The root certificate is correct, and the certificates are installed correctly on both XP and Vista in the same locations.
Using the advanced features within the web enrolment tool and selecting 2048 bit certificates for the Vista machines, and it works fine!
It was a long day today, but I have learnt so much!!!
Only issue is that certificates being issued would work on XP, but not on Vista, as the web enrolment tool keeps saying loading activex
We have since found this: How to use Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008 which resolved that issue.
We then had issues with certificates issued to Vista machines would not work (even though on XP machine with the same process, it would work) It turns out that the CA is issuing 1024 bit certificates (which work on XP, but not Vista). The root certificate is correct, and the certificates are installed correctly on both XP and Vista in the same locations.
Using the advanced features within the web enrolment tool and selecting 2048 bit certificates for the Vista machines, and it works fine!
It was a long day today, but I have learnt so much!!!
Thread
Thread Starter
Forum
Replies
Last Post
hardcoreimpreza
Computer & Technology Related
21
11 October 2015 03:40 PM