Two tier certificate authority migration

Question

question

SamNa-6041 asked Oct 23, '21 Dev073 commented Oct 28, '21

Two tier certificate authority migration

Hi,

We are migrating all our on-prem servers to Azure, and planning to migrate our two-tier certificate authority as well.

We have a stand-alone Root CA that is powered off VM.
Also, an enterprise subordinate issuing CA VM that is domain-joined.

Our plan is to set up new VMs in Azure and migrate the roles over.

Questions:

Considering the fact that security-wise, the Root CA would be in the cloud and exposed compared to the on-prem physical machine, should change to one Tier instead? Is that even an option for our setup? If so, do you know a step-by-step document?

We would have different names and IPs in Azure, but reading the MS documents, it appears the names and IPs can be different, just wanted to know if anyone has performed the migration with new names and IPs.?

Is there an up-to-date, reliable step-by-step document when it comes to two-tier migration? we can see some older documents that are applicable to the 2012 Server not newer versions

azure-virtual-machines-migration

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-10-24T11:34:53.157Z

Dev073 answered Oct 24, '21 Dev073 edited Oct 24, '21

Hi Samna,
Thanks for the post.

what is the main purpose of CA in your environment ? to issue cert to internal applications ? some org might have the CA but actually doesn't use. Hence asking. :)

Considering the fact that security-wise, the Root CA would be in the cloud and exposed compared to the on-prem physical machine, should change to one Tier instead? Is that even an option for our setup? If so, do you know a step-by-step document?

Still its recommended to go with two tier setup. I have done the CA in hybrid model. where inoffline ca kept in on-prem hyper-v secured. Not tried with azure VM. but it should be possible while keeping in the disconnected state or with tighter NSG / firewall rules.

We would have different names and IPs in Azure, but reading the MS documents, it appears the names and IPs can be different, just wanted to know if anyone has performed the migration with new names and IPs.?

Just keep the CA name retaining IP and hostname/IP can be changed. You also need to take the registry backup and restore for CRL and stuffs.

Is there an up-to-date, reliable step-by-step document when it comes to two-tier migration? we can see some older documents that are applicable to the 2012 Server not newer versions

I have used this link. Have a look:
https://www.petenetlive.com/KB/Article/0001473

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-10-24T17:11:18.137Z

SamNa-6041 answered Oct 24, '21 Dev073 commented Oct 28, '21

Hi @Dev073

Thank you for your answers, it was very helpful.

Answering your question:

what is the main purpose of CA in your environment?

I have inherited the current config, and by looking at the issued Certs, I see that:

Root CA was to provide the Cert to Issuing CA only, and Issuing CA shows, "Domain Controller", "Exchange", "Directory Email Replication","Citrix Registration","Client-Side Code Signing","Basic EFS", ...

As you can see, there are a number of tasks, services relying on the Issuing CA, so we have to be cautious to ensure we are not breaking anything.

Is there anything to watch for before or after the migration? (other than what's mentioned in the video and ) and I found this article as well, not sure if it's applicable to my 2019 Servers(it appears to be the same steps):

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831574(v=ws.11)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dev073 · Oct 28, 2021 at 09:58 AM

It should be fine @SamNa-6041 Take required backup and configs.

CA can get really messy. so have a proper change plan and proceed.

0 ·

question