Two tier certificate authority migration

Sam Na 46 Reputation points
2021-10-23T22:30:48.697+00:00

Hi,

We are migrating all our on-prem servers to Azure, and planning to migrate our two-tier certificate authority as well.

We have a stand-alone Root CA that is powered off VM.
Also, an enterprise subordinate issuing CA VM that is domain-joined.

Our plan is to set up new VMs in Azure and migrate the roles over.

Questions:

Considering the fact that security-wise, the Root CA would be in the cloud and exposed compared to the on-prem physical machine, should change to one Tier instead? Is that even an option for our setup? If so, do you know a step-by-step document?

We would have different names and IPs in Azure, but reading the MS documents, it appears the names and IPs can be different, just wanted to know if anyone has performed the migration with new names and IPs.?

Is there an up-to-date, reliable step-by-step document when it comes to two-tier migration? we can see some older documents that are applicable to the 2012 Server not newer versions

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,177 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Devaraj G 2,091 Reputation points
    2021-10-24T11:34:53.157+00:00

    Hi Samna,
    Thanks for the post.

    what is the main purpose of CA in your environment ? to issue cert to internal applications ? some org might have the CA but actually doesn't use. Hence asking. :)

    Considering the fact that security-wise, the Root CA would be in the cloud and exposed compared to the on-prem physical machine, should change to one Tier instead? Is that even an option for our setup? If so, do you know a step-by-step document?

    Still its recommended to go with two tier setup. I have done the CA in hybrid model. where inoffline ca kept in on-prem hyper-v secured. Not tried with azure VM. but it should be possible while keeping in the disconnected state or with tighter NSG / firewall rules.

    We would have different names and IPs in Azure, but reading the MS documents, it appears the names and IPs can be different, just wanted to know if anyone has performed the migration with new names and IPs.?

    Just keep the CA name retaining IP and hostname/IP can be changed. You also need to take the registry backup and restore for CRL and stuffs.

    Is there an up-to-date, reliable step-by-step document when it comes to two-tier migration? we can see some older documents that are applicable to the 2012 Server not newer versions

    I have used this link. Have a look:
    https://www.petenetlive.com/KB/Article/0001473

    0 comments
  2. Sam Na 46 Reputation points
    2021-10-24T17:11:18.137+00:00

    Hi @Devaraj G

    Thank you for your answers, it was very helpful.

    Answering your question:

    what is the main purpose of CA in your environment?

    I have inherited the current config, and by looking at the issued Certs, I see that:

    Root CA was to provide the Cert to Issuing CA only, and Issuing CA shows, "Domain Controller", "Exchange", "Directory Email Replication","Citrix Registration","Client-Side Code Signing","Basic EFS", ...

    As you can see, there are a number of tasks, services relying on the Issuing CA, so we have to be cautious to ensure we are not breaking anything.

    Is there anything to watch for before or after the migration? (other than what's mentioned in the video and ) and I found this article as well, not sure if it's applicable to my 2019 Servers(it appears to be the same steps):

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831574(v=ws.11)