- Overview of the process
- Identify the AIA and CDP distribution points
- Disable Delta CRL and configure an extended CRL publication interval
- Copy the old CA's certificate and CRL files to the new server
- Redirect the AIA and CRL distribution points
- Remove all certificate templates available on the old CA
- Document certificates issued by templates from the old CA
- Wrapping up
- SCP from remote to local - Wed, May 31 2023
- Understanding Kubernetes Persistent Volumes - Mon, May 29 2023
- Pulseway 9.2: Remote monitoring with workflow automation - Thu, May 18 2023
Overview of the process
Removing an old certificate authority generally involves the steps below. Note that additional steps may vary depending on the infrastructure configuration of each organization's certificate authority.
- Identify the Authority Information Access (AIA) and CRL distribution points (CDP).
- Disable Delta CRL and configure an extended CRL publication interval.
- Copy the old certificate authority's certificate and CRL files to the new server hosting the CertData.
- Redirect the AIA and CRL distribution points.
- Remove all certificate templates available on the old CA.
- Document certificates issued by templates from the old certificate authority.
Identify the AIA and CDP distribution points
First, we must identify the AIA and CDP. Open the Certificate Authority Management Console. Right-click the name of your Certificate Authority Server in the tree, and select Properties. In the properties dialog box, select the Extensions tab. Note the AIA and CDP distribution points. Here, you will ignore the listings for LDAP and the local c:\%windir% location.
Document the CDP location on your old certificate server
Do the same for the AIA URLs.
Document the Authority Information Access AIA
Disable Delta CRL and configure an extended CRL publication interval
In the Certificate Authority Management Console, right-click your Revoked Certificates folder, and click Properties. Here, we need to uncheck the Publish Delta CRLs checkbox. Then, we need to set an extended publication interval for the certificate revocation list (CRL).
Unchecking Publish Delta CRLs and setting an extended CRL publication interval
Once you have changed the CRL publishing parameters, open the command prompt and run the following from the command line: certutil -crl. This command issues a new certificate revocation list (CRL).
Copy the old CA's certificate and CRL files to the new server
The CertData directory is a special directory that provides access to important certificate files for domain users and computers, including workstations and servers. This folder is created as a virtual directory under the default website.
We need to copy the old certification authority's certificate and CRL files to the new server. Your new server will host the http://crl.yourdomain.com/CertData virtual directory. The files are found in the %windir%\System32\CertSrv\CertEnroll directory and need to be copied to the new server directory hosting the CertData folder.
Copy the CRL and certificate files from the old certificate authority to the new
Copy the certificate and CRL files to your new Certificate Authority Server, which hosts the CertData virtual directory.
Redirect the AIA and CRL distribution points
Now, we need to redirect the AIA and CRL distribution points to the new server hosting the CertData directory. You can accomplish the redirection in a couple of ways, including:
- IIS redirection
- DNS CNAME redirection
This redirects all new requests for the old server to the new Certificate Authority server hosting the CertData virtual directory.
Redirecting CertData to a new server
Remove all certificate templates available on the old CA
We can now delete all old certificate templates from the old Certificate Authority server. This action prevents the server from issuing any other certificates. To easily document the templates on the server, you can export them using the certutil command. Use the following:
Certutil -catemplates c:\catemplates.txt
Now, we can delete the certificate templates on the old server.
Delete the certificate templates on the old server
With the above actions, the old Certification Authority can't issue any certificates and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new CertData website hosted on the new server.
Next, we will see how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.
Document certificates issued by templates from the old CA
To begin, identify the certificates issued by the default certificate template types. Microsoft documents these here. For the default template types, run the following:
certutil -view -restrict "Certificate Template=<template>" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\ <template>.txt
For custom template types, you need to get the OID number of the template from the Extensions tab under Certificate Templates > Manage. Copy the OID number. It will look like 1.4.3.2.4.2.400.31.7.12322620.14758374.2734910.98347291.93471032.70.43821129.14832291
Then run:
certutil -view -restrict "Certificate Template=<OIDNumber>" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\ CustomTemplateType .txt
Based on the certificates discovered in the above steps, you can log in to the new certificate server and enable the certificate templates needed in the Enable Certificate Templates window.
Enable certificate templates on the new server
Now, you need to consult with the application administrator to reissue the certificates from the new CA infrastructure. However, this task does not have to be accomplished immediately. Instead, they can be migrated to the new infrastructure once the new CA is up and running and issuing certificates.
Once the new infrastructure issues all certificates, you can safely back up your old server and remove it by uninstalling the Certificate Services role.
Wrapping up
Using the steps above, we can remove an old certification authority and migrate certificates to the new CA server. Many tasks involve discovering which certificates have been issued from the old certificate authority and migrating them to the new CA.
Subscribe to 4sysops newsletter!
However, they can be migrated gradually to the new infrastructure. The old server can then be decommissioned. This metered approach allows proceeding carefully without disrupting business-critical services.
