Certificate Authority Windows
Jump to navigation
Jump to search
New
<br />I recently went through the process of migrating from an Enterprise Online Root CA to a two tier PKI. Generally the process you will want to follow will contain these steps: Provision a server that will not be joined to your domain and Install Active Directory Certificate Services. Configure it as a standalone offline root certificate. Publish your Root CA to the forest. Provision a second server online and domain joined. Configure that as your intermediate Certificate Authority. Create a CSR from your intermediate CA and go through the process of issuing a cert from your offline root CA. Migrate the Certificate templates to the new Intermediate CA and remove the templates from your original PKI. (This will only start issuing new certs from your Intermediate CA NOT invalidating certs issued from your original CA.) From here you can decide to leave your old CA up until all certs expire or go through the process of forcing your network systems to re-enroll on the new PKI. The Directory Services Team at Microsoft has a nice high level walkthrough for this. For more in depth information, here is the walkthrough I followed. Additionally, here is a Technet Guide and some planning information on the process.
Migrate
https://www.starwindsoftware.com/blog/migrate-root-ca-to-a-new-server
https://github.com/GoateePFE/ADCSTemplate
Some old example docs but for 2008
Notes
PS C:\WINDOWS\system32> Remove-WindowsFeature -Name AD-Certificate