Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

  • Comments 14
  • Likes

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:

1- There is a new valid Certification Authority configured

2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData

Steps:

1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.

2- Identify the AIA and CDP distribution points

  1. a. Open the Certification Authority Console
  2. b. Right click the Certification Authority name and click Properties
  3. c. Click the “Extensions” tab
  4. d. Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://<serverDNSnname>/CertEnroll/<CANAME>CRLNameSuffix><DeltaCRLAllowed>.crl which refers to local IIS installed on the server, or http://pki.contoso.com/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: Ignore the LDAP and C:\%windir% locations

  1. e. In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
  2. f.  Document the distribution points configured for the AIA extensions – as an example http://<ServerDNSName>/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt  which refers to the local IIS installed on the server or http://pki.contoso.com/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt

Note: Ignore the LDAP and C:\%windir% locations

3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)

  1. a. Open the Certification Authority Console
  2. b. Right click “Revoked Certificates”, and then click “Properties”
  3. c. Uncheck “Publish Delta CRL”
  4. d. Change the “CRL publication Interval” to 99 years and then click OK
  5. e. Open the command line with elevated privileges
  6. f.  Run Certutil –crl  to issue a new Certificate Revocation List (CRL)

4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData 

  1. a. On the old Certification Authority, navigate to %windir%\System32\CertSrv\CertEnroll
  2. b. Copy the Certification Authority’s certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

  1. a. This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6- Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil –catemplates > c:\catemplates.txt  to document all available certificate templates at the old Certification Authority
  3. c. Launch the Certification Authority console
  4. d. Navigate to “Certificate Templates”
  5. e. Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

  1. a. Highlight “Issued Certificates”
  2. b. Navigate to the right, and sort by “Certificate Templates”
  3. c. Identify the certificates issued by default certificate template types
  4. d. Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8- Dump the certificates based on the default certificate template types:

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil -view -restrict "Certificate Template=Template" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\TemplateType.txt
  3. c. Examine the output of c:\TemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
  4. d. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9- Dump the certificates based on the custom certificate template types:

  1. a. Open the Certification Authority Console
  2. b. Right click “Certificate Templates” and click “Manage”
  3. c. Double click the certificate template and click on “Extensions” tab
  4. d. Click on “Certificate Template Information”
  5. e. Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
  6. f. Open the command line with elevated privileges
  7. g. Run Certutil -view -restrict "Certificate Template=OIDNumber" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\CustomTemplateType.txt

Note: Replace OIDNumber with the number identified in step 9.e

  1. h. Examine the output of c:\CustomTemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
  2. i. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

  1. a. Logon to the new Certification Authority as an Enterprise Administrator
  2. b. Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
  3. c. Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority

  1. a. Backup the old Certification Authority using the steps outlined in Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
  2. b. Uninstall Certificate Services from the old Certification Authority
  3. c. Decommission the server unless it is running other applications

12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting http://crl.contoso.com

 

Amer F. Kamal

Senior Premier Field Engineer

Comments
  • Hello Amer, Thanks for nice tutorial. I have question: in my domain I have offline root ca with subordinate enterprice ca. I must change root ca name, because someone dont like value "issued by". So is any way to change root ca name, renew certificate for subordinate ca and keep users certificates ? Thanks a lot for any solutions.

  • Martin.

    The name you are referring to is a CA Sanitized Name and can't be changed. The only solution for the issue you have is rebuilding the CA

  • Excellent guide! We're in the situation where our 5+ years old Win2003 DC has to be decommissioned since it's OLD and does not follow proper naming standards. However, it also has Enterprise Root CA installed and I'm investigating proper actions and I will suggest to do exactly what you've recommended above. But are there ANY arguments to instead setup a new 2008R2 CA standalone domain member and try to move the CA database to that server? Looking at the still active certs there's only Domain Controller certs issued.

    One caveat though, there is one Subordinate CA issued to a CA in Spain. I guess if we start building a new CA structure, they will also need to build a new CA server in the new CA structure?

  • James,

    If I understand you correctly, you are suggesting to create an offline root CA and then importing the old Enterprise Root CA database. This is a bit complicated because you have to offline the CA. The easiest approach is following the steps mentioned in this blog and starting from scratch with a 2 tier hierarchy. If certificates were issued using autoenrollment, then they will renew from the new hierarchy without any issue. This should also apply to the CA in Spain.

    Hope this helps!

  • Hello Amerk,

    I've found these 2 excellent guides and plan to use them at a new client.

    The client currently has an enterprise root on a W2K3R2 DC that has issued many certificates based on only the standard templates. At somepoint an enterprise subordinate CA was also configured also on a W2K3R2 DC that has also issued  many certificates based on only the standard templates. No custom templates are configured. The standard templates that have been used to issue certificates are:

    Administrator

    Domain Controller

    Basic EFS

    Computer

    User

    Subordinate CA

    Web Server

    No certs have been issued using the EFS recovery agent template (oops!)

    Additionally, certs using a template CA Exchange have been issued.

    The existing CA hierachy is barely functional because of old hardware and re/misconfiguration so I plan to simply replace it with a best-practice offline standalone root and subordinate enterprise CAs in a 2-tier hierachy based on W2K8 or W2K12 servers.

    I've worked through the 2 articles and it's mostly clear except for a question I have regarding the versions of the pre-configured certificate templates. The W2K3 templates seem all to be version 1, and the latest templates can be version 3 or 4^, although most of the ones in use here seem to still be version 1.

    My specific question concerns the steps exporting the "old" templates and importing them into the new CA. Assuming I have prevented creation of the standard templates on the new CA (LoadDefaultTemplates=false), do I have to do anything to avoid template version issues? Can I simply use the same-named templates from W2K12, do I use the "Compatibility" tab and duplicate, and lastly can I simply add the remaining new template types (that are not yet used)?

    Your guidance would be appreciated.

    Richard

    Switzerland

  • Hi Amerk, I hope you still reading this :) First, thank you for the guide. But I have one littel thing wich is confusing me and it is right at the beginning. 2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData About the new distribution point. Do you mean the new distribution Point of the new CA or do mean a separate distribution Point where I have to put the old CRLs and CRTs? Sorry for that stupid question :) Thanks in advance Matthias

  • Hi Matthias, It can be the new distribution point of the new CA, or a separate distribution point hosted on another web server. Best practice for CA distribution points calls for creating a separate web site hosted on a non-CA server. You need to copy the CRL and AIA files from the old CA to the distribution point, regardless of the distribution point selected above.

  • Hello All, a very good blog, appreciated.
    I have a question about auto-enrolled certificates. When the the auto-enrolled certificates get renewed against the new active CA, do they renew keeping their original public and private key-pair. Also does the certificate subject key identifier change after the renewal process?
    Regards
    Raf

  • Thanks for your good guide. If I lost root CA, can I do step by step with your guide?

  • Hi TuanBA.

    If you lost the Root CA, then you have to build from scratch. I am assuming a lost CA means you can't locate backups/Private Keys etc...

  • Hi Amerk,
    My Root CA server was turned off and moved store without backup. now, I can't find RootCA server. Maybe, this server was taken away for other goal. Pleas help me detail without causing an interruption in my business. Thank you very much!

  • Hi Amerk. I have already buit new PKI. And I did the steps in your blog. Everything have run smoothly.
    Thank you so much!

  • Excellent guide!, thanks for posting. I got a question that has nothing to do with this post, but i can't find it anywhere.
    We have and old Standard Root Certification Authorithy running on W2k3, but we are trying to start using customized templates, so we have to deploy an Enterprise CA, is there any change that i would deploy a new Enterprise "Subordinate" CA on W2008R2 but keeping the Old standard root CA on w2k3 in order to minimize the heavy task of a brand new hierarchy ? this would enable us the ability to use custom templates?
    Thanks for your time!
    regards

  • Hi Amerk,

    I just came across your great blog and I was a little too late finding it  as I did the CA migration already from 2003 to 2008. I followed the following guide but it was not as detailed as yours  http://blogs.technet.com/b/meamcs/archive/2012/03/27/migrating-windows-2003-enterprise-certificate-authority-to-windows-2008-r2-based-ca.aspx

    So this where I stand now; the new 2008 AD/CA server has a different host name than the old CA server name and after I did the migration to the new 2008 CA host name it took the name of the old server host name and would like to know if there is a way to change this or if I just leave it as is would it cause issues?

    The new CA server name seems functional as far as I can tell. Do I need to perform steps listed in your great guide? Should I restore/revert to the old CA server and start over with your guide, is this possible?

    I have 4 certs that are “Subordinate Certification Authority (SubCA) and just want to make sure they are being issued from the new CA server. How do I determine that?

    P.S New 2008 CA server is an Enterprise CA.

    Thank you

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment