question

GreggHughes-3883 avatar image
0 Votes"
GreggHughes-3883 asked GreggHughes-3883 commented

Removing old CA - New CA isn't listed in Sites & Services | Certification Authorities

Good morning, all!

I'm preparing to remove an old CA from our AD structure. The old CA is listed in Sites & Services | Certification Authorities, but the new one isn't. I went from a single Enterprise CA to a two-tier standalone CA/Issuing CA structure as per Microsoft's Best Practices.

Is having a standalone root CA, not part of AD, the reason I don't see the new servers in Sites & Services? If so, I can safely delete the OLD CA from Certification Authorities with no ill effect?

Thanks!

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crypt32 avatar image
0 Votes"
Crypt32 answered GreggHughes-3883 commented

you have to publish it manually using certutil:

 certutil -dspublish -f rootcacert.crt RootCA
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks! But I don't see the NEW subordinate CA, either in that section. I do see it in AIA, CDP, Enrollment Services and KRA as expected. since the Root CA isn't in AD, and the SubCAs are issuing based on that Root CA, I think I'll be OK. As long as the certificate chain is unbroken and trusted, it's all good, right?

0 Votes 0 ·
Crypt32 avatar image Crypt32 GreggHughes-3883 ·

But I don't see the NEW subordinate CA, either in that section

and it MUST NOT appear there. This section is for root CAs only. Your issuing CA isn't root, so must not be there. If you published it there -- remove.
1 Vote 1 ·

Triple-checked - nope, no worries. It's not in that section. Just the old and new Root CAs are there,

0 Votes 0 ·

Ah, missed that step.

That's the trouble with these - a million references, and they don't all agree on the steps needed.

Thanks!

0 Votes 0 ·