Difference between revisions of "Certificate Authority Windows"

From UVOO Tech Wiki
Jump to navigation Jump to search
(Created page with "# Migrate https://github.com/GoateePFE/ADCSTemplate https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server h...")
 
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
https://serverfault.com/questions/571910/how-to-add-extended-key-usage-string-when-generating-a-self-signed-certificate-u
 +
 +
# New
 +
https://serverfault.com/questions/425438/create-and-use-intermediate-certificate-authority-on-windows-server-2012
 +
```
 +
 +
I recently went through the process of migrating from an Enterprise Online Root CA to a two tier PKI. Generally the process you will want to follow will contain these steps:
 +
 +
Provision a server that will not be joined to your domain and Install Active Directory Certificate Services. Configure it as a standalone offline root certificate.
 +
Publish your Root CA to the forest.
 +
Provision a second server online and domain joined. Configure that as your intermediate Certificate Authority.
 +
Create a CSR from your intermediate CA and go through the process of issuing a cert from your offline root CA.
 +
Migrate the Certificate templates to the new Intermediate CA and remove the templates from your original PKI. (This will only start issuing new certs from your Intermediate CA NOT invalidating certs issued from your original CA.)
 +
From here you can decide to leave your old CA up until all certs expire or go through the process of forcing your network systems to re-enroll on the new PKI.
 +
The Directory Services Team at Microsoft has a nice high level walkthrough for this.
 +
 +
For more in depth information, here is the walkthrough I followed.
 +
 +
Additionally, here is a Technet Guide and some planning information on the process.
 +
```
 +
 +
 
# Migrate
 
# Migrate
 +
 +
https://www.starwindsoftware.com/blog/migrate-root-ca-to-a-new-server
  
 
https://github.com/GoateePFE/ADCSTemplate
 
https://github.com/GoateePFE/ADCSTemplate
Line 7: Line 31:
  
 
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674
 
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674
 +
 +
 +
 +
 +
# Some old example docs but for 2008
 +
 +
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx
 +
 +
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
 +
 +
 +
 +
# Notes
 +
```
 +
PS C:\WINDOWS\system32> Remove-WindowsFeature -Name AD-Certificate
 +
```

Latest revision as of 00:26, 11 November 2023

https://serverfault.com/questions/571910/how-to-add-extended-key-usage-string-when-generating-a-self-signed-certificate-u

New

https://serverfault.com/questions/425438/create-and-use-intermediate-certificate-authority-on-windows-server-2012 

<br />I recently went through the process of migrating from an Enterprise Online Root CA to a two tier PKI. Generally the process you will want to follow will contain these steps:

Provision a server that will not be joined to your domain and Install Active Directory Certificate Services. Configure it as a standalone offline root certificate.
Publish your Root CA to the forest.
Provision a second server online and domain joined. Configure that as your intermediate Certificate Authority.
Create a CSR from your intermediate CA and go through the process of issuing a cert from your offline root CA.
Migrate the Certificate templates to the new Intermediate CA and remove the templates from your original PKI. (This will only start issuing new certs from your Intermediate CA NOT invalidating certs issued from your original CA.)
From here you can decide to leave your old CA up until all certs expire or go through the process of forcing your network systems to re-enroll on the new PKI.
The Directory Services Team at Microsoft has a nice high level walkthrough for this.

For more in depth information, here is the walkthrough I followed.

Additionally, here is a Technet Guide and some planning information on the process.

Migrate

https://www.starwindsoftware.com/blog/migrate-root-ca-to-a-new-server

https://github.com/GoateePFE/ADCSTemplate

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server

https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Some old example docs but for 2008

https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Notes

PS C:\WINDOWS\system32> Remove-WindowsFeature -Name AD-Certificate
Retrieved from "https://tech.uvoo.io/index.php?title=Certificate_Authority_Windows&oldid=4652"