3 Windows CA servers - needs to consolidate into one

Sumitra Maharjan 21 Reputation points
2021-02-26T20:22:52.67+00:00

Currently, we have 3 CA servers (two Windows 2012 servers one of which is also DC and one Windows 2016). We would like to export all active certificates from two Windows 2012 servers and then remove CA services from those two servers. We just want to have one CA server – Windows 2016. Right now, all three servers are issuing certificates. When we have new computer setup, any one of these CA servers issue the license.

  1. On first Windows 2012 CA server (also DC), it has about 1300 certificates with 900 already expired (so about 400 active).
  2. On the second Windows 2012 CA server, it has about 800 certificates and half of them are already expired.
  3. On 3rd Windows 2016 CA server that we would like to keep, it has about 900 certificates with 450 already expired.
    What is the best way to handle this situation? Any recommendation would be greatly appreciated.
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,701 questions
{count} votes

Accepted answer
  1. Daisy Zhou 17,991 Reputation points Microsoft Vendor
    2021-03-01T05:27:57.57+00:00

    Hello @Sumitra Maharjan ,

    Thank you for posting here.

    Based on the description above, I understand you have three parallel CA servers, they are all issuing CA servers (maybe they are all enterprise CA servers), and we want to decommission the two 2012 CA servers before we exporting all the active certs from the two Windows 2012 servers.

    Here are my suggestion:

    On first Windows 2012 CA server (also DC), it has about 1300 certificates with 900 already expired (so about 400 active).
    On the second Windows 2012 CA server, it has about 800 certificates and half of them are already expired.

    1.For all the certs that are not expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, we should reenroll using the third Windows 2016 CA server.

    2.For all the certs that are expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, if we do not need these certs, we can ignored them. However, if we still want to use any of them, we should also reenroll it using the third Windows 2016 CA server.

    On 3rd Windows 2016 CA server that we would like to keep, it has about 900 certificates with 450 already expired.

    3.For the all the certs on the third 2016 CA server that are not expired, we keep them.
    For the all the certs on the third 2016 CA server that are expired, if we do not need these certs, we can remove them; If we still want to use any of them, we should also reenroll it using the third Windows 2016 CA server.

    Reference
    How to decommission a Windows enterprise certification authority and remove all related objects
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Tip: If we export all active certificates issued by two Windows 2012 CA servers and import them to the third 2016 CA server, after you decommission two Windows 2012 CA servers, these certs can not be used.

    Best Regards,
    Daisy Zhou

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Daisy Zhou 17,991 Reputation points Microsoft Vendor
    2021-03-09T02:16:25.607+00:00

    Hello @Sumitra Maharjan ,

    Thank you for your update and accepting my reply as answer.

    Here are the answers for your references.

    On --> 1.For all the certs that are not expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, we should reenroll using the third Windows 2016 CA server. <-- This has to be manually re-enrolled on the 3rd Win 2016 CA server, right?

    A: You can re-enroll them manually or via GPO auto enrollment.
    For more information about seting up Automatic Certificate Enrollment, please refer to the following link.
    Set Up Automatic Certificate Enrollment (Autoenroll)
    https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll

    On --> 2.For all the certs that are expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, if we do not need these certs, we can ignored them. However, if we still want to use any of them, we should also reenroll it using the third Windows 2016 CA server. <-- So, we should just ignore all these expired certificates.
    A: If you do not need these certs, we can ignored them.

    On both 1st and 2nd CA servers that we need to remove CA services, should we just stop CA services, right? Thanks again for your helpful response.
    A: We can refer to the following link to decommission a Windows enterprise certification authority.

    How to decommission a Windows enterprise certification authority and remove all related objects
    https://support.microsoft.com/en-gb/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  2. sv rakesh 0 Reputation points
    2023-11-13T09:03:31.05+00:00

    @Sumitra Maharjan If Done this configuration can you please provide the details what are steps taken or please provide link if any document how to do this steps.