jasonboche
2007-03-13 04:55:03 UTC
I need a sanity check here.
Environment:
3 Win2k3 AD domain controllers, upon which there is:
1 Enterprise root CA
1 Subordinate CA
Various certificates have been issued through the domain
Problem:
The AD domain controller which hosts the Enterprise root CA is severely ill
and needs to be rebuilt.
The Subordinate CA will continue to function handling certificates while the
Enterprise root CA is down, however, what exactly is the procedure for
rebuilding an Enterprise root CA when a Subordinate CA for the CA chain
already exists?
Obviously I do not want to lose all issued certificates, nor do I wish to
rebuild the CA completely and go the process of re-issuing and re-installing
new certificates.
What's the best route here as I have never had to do this before and I
haven't found it discussed in any of my text books or KB searches? I have
some options as the root CA domain controller is still up and functional and
I can back up the SystemState as needed but since the DC is being rebuilt
from scratch, I don't believe I'm going to be able to restore the SystemState
of an old server to a new server, particularly just the CA portion of
SystemState. I know the root CA can remain offline in fact it's a best
practice from the MS camp, however, I don't think that implies that a root CA
can be taken offline for eternity with no ill effects. I'm afraid not
rebuilding a root CA might bite me later down the road. For instance, I'm
thinking that if I want to add an additional Subordinate CA, the root CA may
need to be online for that to take place.
Thank you in advance,
Jas
Environment:
3 Win2k3 AD domain controllers, upon which there is:
1 Enterprise root CA
1 Subordinate CA
Various certificates have been issued through the domain
Problem:
The AD domain controller which hosts the Enterprise root CA is severely ill
and needs to be rebuilt.
The Subordinate CA will continue to function handling certificates while the
Enterprise root CA is down, however, what exactly is the procedure for
rebuilding an Enterprise root CA when a Subordinate CA for the CA chain
already exists?
Obviously I do not want to lose all issued certificates, nor do I wish to
rebuild the CA completely and go the process of re-issuing and re-installing
new certificates.
What's the best route here as I have never had to do this before and I
haven't found it discussed in any of my text books or KB searches? I have
some options as the root CA domain controller is still up and functional and
I can back up the SystemState as needed but since the DC is being rebuilt
from scratch, I don't believe I'm going to be able to restore the SystemState
of an old server to a new server, particularly just the CA portion of
SystemState. I know the root CA can remain offline in fact it's a best
practice from the MS camp, however, I don't think that implies that a root CA
can be taken offline for eternity with no ill effects. I'm afraid not
rebuilding a root CA might bite me later down the road. For instance, I'm
thinking that if I want to add an additional Subordinate CA, the root CA may
need to be online for that to take place.
Thank you in advance,
Jas
--
Jason Boche, MCSE NT4/2000/2003, MCSA 2000/2003, MCP, VCPx2, CCA, A+
Jason Boche, MCSE NT4/2000/2003, MCSA 2000/2003, MCP, VCPx2, CCA, A+