question

SumitraMaharjan-9044 avatar image
0 Votes"
SumitraMaharjan-9044 asked ·

3 Windows CA servers - needs to consolidate into one

Currently, we have 3 CA servers (two Windows 2012 servers one of which is also DC and one Windows 2016). We would like to export all active certificates from two Windows 2012 servers and then remove CA services from those two servers. We just want to have one CA server – Windows 2016. Right now, all three servers are issuing certificates. When we have new computer setup, any one of these CA servers issue the license.

  1. On first Windows 2012 CA server (also DC), it has about 1300 certificates with 900 already expired (so about 400 active).

  2. On the second Windows 2012 CA server, it has about 800 certificates and half of them are already expired.

  3. On 3rd Windows 2016 CA server that we would like to keep, it has about 900 certificates with 450 already expired.
    What is the best way to handle this situation? Any recommendation would be greatly appreciated.

windows-server-security
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @SumitraMaharjan-9044,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @SumitraMaharjan-9044,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Thank you Daisy for your response. It is very helpful.

On --> 1.For all the certs that are not expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, we should reenroll using the third Windows 2016 CA server. <-- This has to be manually re-enrolled on the 3rd Win 2016 CA server, right?

On --> 2.For all the certs that are expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, if we do not need these certs, we can ignored them. However, if we still want to use any of them, we should also reenroll it using the third Windows 2016 CA server. <-- So, we should just ignore all these expired certificates.

On both 1st and 2nd CA servers that we need to remove CA services, should we just stop CA services, right? Thanks again for your helpful response.
= Sumitra





0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @SumitraMaharjan-9044,

Thank you for posting here.

Based on the description above, I understand you have three parallel CA servers, they are all issuing CA servers (maybe they are all enterprise CA servers), and we want to decommission the two 2012 CA servers before we exporting all the active certs from the two Windows 2012 servers.

Here are my suggestion:

On first Windows 2012 CA server (also DC), it has about 1300 certificates with 900 already expired (so about 400 active).
On the second Windows 2012 CA server, it has about 800 certificates and half of them are already expired.

1.For all the certs that are not expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, we should reenroll using the third Windows 2016 CA server.

2.For all the certs that are expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, if we do not need these certs, we can ignored them. However, if we still want to use any of them, we should also reenroll it using the third Windows 2016 CA server.

On 3rd Windows 2016 CA server that we would like to keep, it has about 900 certificates with 450 already expired.

3.For the all the certs on the third 2016 CA server that are not expired, we keep them.
For the all the certs on the third 2016 CA server that are expired, if we do not need these certs, we can remove them; If we still want to use any of them, we should also reenroll it using the third Windows 2016 CA server.

Reference
How to decommission a Windows enterprise certification authority and remove all related objects
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Tip: If we export all active certificates issued by two Windows 2012 CA servers and import them to the third 2016 CA server, after you decommission two Windows 2012 CA servers, these certs can not be used.




Best Regards,
Daisy Zhou

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @SumitraMaharjan-9044,

Thank you for your update and accepting my reply as answer.

Here are the answers for your references.

On --> 1.For all the certs that are not expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, we should reenroll using the third Windows 2016 CA server. <-- This has to be manually re-enrolled on the 3rd Win 2016 CA server, right?

A: You can re-enroll them manually or via GPO auto enrollment.
For more information about seting up Automatic Certificate Enrollment, please refer to the following link.
Set Up Automatic Certificate Enrollment (Autoenroll)
https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll


On --> 2.For all the certs that are expired on the first Windows 2012 CA server (also DC) and the second Windows 2012 CA server, if we do not need these certs, we can ignored them. However, if we still want to use any of them, we should also reenroll it using the third Windows 2016 CA server. <-- So, we should just ignore all these expired certificates.
A: If you do not need these certs, we can ignored them.

On both 1st and 2nd CA servers that we need to remove CA services, should we just stop CA services, right? Thanks again for your helpful response.
A: We can refer to the following link to decommission a Windows enterprise certification authority.

How to decommission a Windows enterprise certification authority and remove all related objects
https://support.microsoft.com/en-gb/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r


Hope the information above is helpful.



Best Regards,
Daisy Zhou

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.