question

51892182 avatar image
0 Votes"
51892182 asked 51892182 commented

Public Key Infra Cert CA upgrade and renew

i have PKI which 2012R2 , and Ent CA key is also going to expire, Root CA still have 10 years
i wish to follow a industry standard for upgrade windows to 2019, and renew the CA cert,
i wonder any microsoft recommandation for upgrade and renew
should i moving the existing root CA cert , and renew ent CA cert,
or just renew Root CA and Ent CA cert, ]
i want a documentation or article for supporting
thank you

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @51892182,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @51892182,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
Crypt32 avatar image
0 Votes"
Crypt32 answered 51892182 commented

You can do this in any order: renew first than migrate, or migrate first and then renew. For migration guide you can follow official ADCS migration guide: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11)

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you for the help
i did research the procedure and steps, but i need to follow a standard,
like how digicert, GlobalSign renew their Root cert? i want to follow the biggest company standard
but it is hard to know their standard,
or even microsoft's article for description of best practice, it is ok also
any document for talking about this?

0 Votes 0 ·

but i need to follow a standard

there is no such standard.

like how digicert, GlobalSign renew their Root cert?

they do not renew. They deploy a new CA when existing is about to expire. They do cross-certification tricks to allow the trust to new root for transition period, but they do not support CA certificate renewal like ADCS does.

The only thing you should keep in mind here -- renew only with new key pair. Never reuse it.
0 Votes 0 ·

thank you Crypt32
good advice, and any article about this can be found? reference from?
since my boss may ask the reference

0 Votes 0 ·
Show more comments
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered 51892182 commented

Hello @51892182,

Thank you for posting here.

Hope the information provided by Crypt32 is helpful.

After my research, here are two articles for your references.

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo

Renew Issuing/Subordinate CA Certificate
https://www.risual.com/2014/05/renew-issuingsubordinate-ca-certificate/


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.



Best Regards,
Daisy Zhou

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you for the help
but i want to identify what strategy ? what is the industry standard? best practice?
1. update to windows 19, and then backup and recover cert to 19, renew with existing key
2. update to windows 19, and then use new gen ca cert
3. renew existing key, and then backup and recover cert to 19
4. renew with new key, and then backup and recover cert to 19


i wonder which one is a industry standard



0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered 51892182 commented

Hello @51892182,

Thank you for your update.

We suggest renewal with new key pair.

For the difference between renewal with existing key pair and renewal with new key pair, you can refer to link below.

Root CA certificate renewal
https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx


We can backup 2012 R2 and recover cert to 2019, and then renew with new key.
Or renew with new key, and then backup 2012 R2 and recover cert to 2019.

For migrate CA from 2012 R2 to 2019, we can refer to steps below (similar steps).
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo


Considerations for migrating a CA to a new machine:

  1. When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

  2. By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

  3. During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Tip: Each of the above small steps contains a lot of operations.
It is recommended that you set up a similar CA environment in the test environment, and perform migration and renew operations in the test environment, and then record all these steps in a document, and write down the key points and precautions.
If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Daisy
thank you for the detail explanation and advice, after I deeply consideration, I still have some wondering

[ We can backup 2012 R2 and recover cert to 2019, and then renew with new key.
Or renew with new key, and then backup 2012 R2 and recover cert to 2019. ]
if renew with new key, why need backup and recover? why not just build up a new 2019 with new key?
is it only for keeping these expired cert?


0 Votes 0 ·

continues

[ Uninstalling the source CA deletes objects from AD DS. If the target CA is a stand-alone CA, then these objects are no longer required. However, if the target CA is an enterprise CA, then it is important to uninstall the source CA before you install the target CA. This ensures the required objects are added to AD DS.]
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN
I checked the description at this link, it said it have to uninstall old CA, and then install the new CA if migration of existing key
I wonder is it possible just shutdown the old CA, and install a new CA, in case any happened, I can just power up the old CA for keeping services?
I wonder is it possible to run old and new 2019 with same CA key simultaneously ? any impact?

thank you so much

0 Votes 0 ·