Let's look at the general steps required to remove an old Windows certificate authority without affecting previously issued certificates.

Overview of the process

Removing an old certificate authority generally involves the steps below. Note that additional steps may vary depending on the infrastructure configuration of each organization's certificate authority.

  1. Identify the Authority Information Access (AIA) and CRL distribution points (CDP).
  2. Disable Delta CRL and configure an extended CRL publication interval.
  3. Copy the old certificate authority's certificate and CRL files to the new server hosting the CertData.
  4. Redirect the AIA and CRL distribution points.
  5. Remove all certificate templates available on the old CA.
  6. Document certificates issued by templates from the old certificate authority.

Identify the AIA and CDP distribution points

First, we must identify the AIA and CDP. Open the Certificate Authority Management Console. Right-click the name of your Certificate Authority Server in the tree, and select Properties. In the properties dialog box, select the Extensions tab. Note the AIA and CDP distribution points. Here, you will ignore the listings for LDAP and the local c:\%windir% location.

Document the CDP location on your old certificate server

Document the CDP location on your old certificate server

Do the same for the AIA URLs.

Document the Authority Information Access AIA

Document the Authority Information Access AIA

Disable Delta CRL and configure an extended CRL publication interval

In the Certificate Authority Management Console, right-click your Revoked Certificates folder, and click Properties. Here, we need to uncheck the Publish Delta CRLs checkbox. Then, we need to set an extended publication interval for the certificate revocation list (CRL).

Unchecking Publish Delta CRLs and setting an extended CRL publication interval

Unchecking Publish Delta CRLs and setting an extended CRL publication interval

Once you have changed the CRL publishing parameters, open the command prompt and run the following from the command line: certutil -crl. This command issues a new certificate revocation list (CRL).

Copy the old CA's certificate and CRL files to the new server

The CertData directory is a special directory that provides access to important certificate files for domain users and computers, including workstations and servers. This folder is created as a virtual directory under the default website.

We need to copy the old certification authority's certificate and CRL files to the new server. Your new server will host the http://crl.yourdomain.com/CertData virtual directory. The files are found in the %windir%\System32\CertSrv\CertEnroll directory and need to be copied to the new server directory hosting the CertData folder.

Copy the CRL and certificate files from the old certificate authority to the new

Copy the CRL and certificate files from the old certificate authority to the new

Copy the certificate and CRL files to your new Certificate Authority Server, which hosts the CertData virtual directory.

Redirect the AIA and CRL distribution points

Now, we need to redirect the AIA and CRL distribution points to the new server hosting the CertData directory. You can accomplish the redirection in a couple of ways, including:

  • IIS redirection
  • DNS CNAME redirection

This redirects all new requests for the old server to the new Certificate Authority server hosting the CertData virtual directory.

Redirecting CertData to a new server

Redirecting CertData to a new server

Remove all certificate templates available on the old CA

We can now delete all old certificate templates from the old Certificate Authority server. This action prevents the server from issuing any other certificates. To easily document the templates on the server, you can export them using the certutil command. Use the following:

Certutil -catemplates c:\catemplates.txt

Now, we can delete the certificate templates on the old server.

Delete the certificate templates on the old server

Delete the certificate templates on the old server

With the above actions, the old Certification Authority can't issue any certificates and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new CertData website hosted on the new server.

Next, we will see how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

Document certificates issued by templates from the old CA

To begin, identify the certificates issued by the default certificate template types. Microsoft documents these here. For the default template types, run the following:

certutil -view -restrict "Certificate Template=<template>" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\ <template>.txt

For custom template types, you need to get the OID number of the template from the Extensions tab under Certificate Templates > Manage. Copy the OID number. It will look like 1.4.3.2.4.2.400.31.7.12322620.14758374.2734910.98347291.93471032.70.43821129.14832291

Then run:

certutil -view -restrict "Certificate Template=<OIDNumber>" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\ CustomTemplateType .txt

Based on the certificates discovered in the above steps, you can log in to the new certificate server and enable the certificate templates needed in the Enable Certificate Templates window.

Enable certificate templates on the new server

Enable certificate templates on the new server

Now, you need to consult with the application administrator to reissue the certificates from the new CA infrastructure. However, this task does not have to be accomplished immediately. Instead, they can be migrated to the new infrastructure once the new CA is up and running and issuing certificates.

Once the new infrastructure issues all certificates, you can safely back up your old server and remove it by uninstalling the Certificate Services role.

Wrapping up

Using the steps above, we can remove an old certification authority and migrate certificates to the new CA server. Many tasks involve discovering which certificates have been issued from the old certificate authority and migrating them to the new CA.

Subscribe to 4sysops newsletter!

However, they can be migrated gradually to the new infrastructure. The old server can then be decommissioned. This metered approach allows proceeding carefully without disrupting business-critical services.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account