2008R2 Enterprise CA migration/upgrade

  • 36 Views
  • Last Post 2 weeks ago
kbeahm posted this 2 weeks ago

P.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } LI.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } DIV.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } TABLE.ImprintUniqueIDTable { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 } P.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } LI.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } DIV.ImprintUniqueID { MARGIN: 0cm 0cm 0pt } TABLE.ImprintUniqueIDTable { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 }

It is time to upgrade our well-worn 2008R2 Enterprise CA, but I am not sure I trust all of our application teams to have tested their systems for SHA256 certs.  Do you have any recommendations for a side by side deployment of a 2016 CA with the legacy 2008R2 CA to begin testing compatibility?  If I were to proceed with this model would I just use the permissions on each AD published certificate to control which applications, users, and servers pick up the new 2016 CA certs?   Thank you in advance for your time and consideration.  

Keith D. Beahm | Messaging and Storage Architect | Stinson Leonard Street LLP
1201 Walnut Street, Suite 2900 | Kansas City, MO 64106-2150
T: 816.691.3374 | M: 816.808.8983 | F: 816.412.1022
kbeahm@xxxxxxxxxxxxxxxx | www.stinson.com

This communication (including any attachments) is from a law firm and may contain confidential and/or privileged information.  If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.

Order By: Standard | Newest | Votes
michael1 posted this 2 weeks ago

Why do I feel like I’ve talked about this recently?

J

 

Do you have a single CA server? No hierarchy?

 

show

kbeahm posted this 2 weeks ago

P.ImprintUniqueID {

MARGIN: 0cm 0cm 0pt

}

LI.ImprintUniqueID {

MARGIN: 0cm 0cm 0pt

}

DIV.ImprintUniqueID {

MARGIN: 0cm 0cm 0pt

}

TABLE.ImprintUniqueIDTable {

MARGIN: 0cm 0cm 0pt

}

DIV.Section1 {

page: Section1

}















You may have, and if so I apologize.  Single CA no hierarchy.

 







Keith

D.

Beahm |

Messaging and Storage Architect |

Stinson Leonard Street LLP


1201 Walnut Street, Suite 2900 |

Kansas City,

MO

64106-2150


T: 816.691.3374 |

M: 816.808.8983 |

F: 816.412.1022


kbeahm@xxxxxxxxxxxxxxxx |

www.stinson.com

show

michael1 posted this 2 weeks ago

No apology necessary. I may just do some subcontract work for another company y’all work with. Or the same question came from someone else.

J

 

In my opinion, there are a couple of options here. It depends on whether you want to end up with the current root trusted or if it’s ok if the current root isn’t trusted. That’s probably a factor of how many

valid certs there currently are and how difficult they are to replace and how many of them need to be replaced with sha256 certs. (Keeping in mind that the old root will continue to be a sha1 root.) And whether or not you are using EFS.

 

If you just want to test, then I’d fire up a VM, install AD, install a new enterprise CA, generate certs to test with, export the certs and the root, and then install them where I’m testing. This has a

distinct advantage of not impacting your current forest at all. It has a disadvantage of not permitting auto-enrollment – but that’s not necessarily a disadvantage.

 

This is what I think I’d recommend as a first step (given how little I know right this second).

 

Two other options:

 

If you plan on upgrade/migrating your current CA, well that doesn’t leave a lot of room for testing beforehand. It is what it is. But all the old certificates are still valid.

 

You can also install another Enterprise CA alongside the existing one. (Different CAName, different AIA, different server, everything different.) What certificates are issued for auto-enrollment from each CA

is dependent on the templates published for that CA. I don’t recommend you have “dueling published templates”, I don’t know if the behavior is well-defined. But for all other certs, the certs would be issued based on the CA where they were requested (assuming

the templates were available).

 

Which of these two you might choose depends on a number of factors, including whether you can leave the old CA up until all the old certificates expire…

 

show

barkills posted this 2 weeks ago

You can also install another Enterprise CA alongside the existing one. (Different CAName, different AIA, different server, everything different.) What certificates are issued for auto-enrollment from each CA is dependent on the templates published for that CA. I don’t recommend you have “dueling published templates”, I don’t know if the behavior is well-defined. But for all other certs, the certs would be issued based on the CA where they were requested (assuming the templates were available). [BA] Seems like you could have “dueling published templates” as long as one of the two doesn’t include the auto-enroll permissions. Then the “cutover” could happen on a per-template basis by removing auto-enroll from one and adding it to the other. That wouldn’t be much of a cutover, since issued certs will remain valid until they expire, are revoked, or are otherwise invalid. But any new automated request for that type of cert would shift to the new CA.

michael1 posted this 2 weeks ago

That's exactly what I meant

😊. Thanks for clarifying for me and sorry I wasn't more clear.

 

Sent from my Windows 10 device

 

show

Close