|
Posted by =?Utf-8?B?anVzdG1hcms=?= on April 25, 2008, 3:56 pm
If you were Registered and logged in, you could reply and use other advanced thread options
We don't really use this anyway, although some people did, in the past. I
have to decomission the hardware on which the CA lives and for the near-term,
have decided to just not establish another.
I have a couple of questions: First of all, if somebody, somewhere, has an
encrypted folder (they all swear they don't, but I can't go poking around to
make sure), will they lose access to their files or will their files simply
become unencrypted when I decomission the CA?
Secondly, when I look at issued certificates, I see some of my server - most
notably, my DCs. I don't know exactly why they've requested certificates,
but what will happen to them if I decomission the CA?
Thanks for any advice!
Mark
|
|
Posted by Brian Komar \(MVP\) on April 26, 2008, 8:18 am
If you were Registered and logged in, you could reply and use other advanced thread options
inline...
> We don't really use this anyway, although some people did, in the past. I
> have to decomission the hardware on which the CA lives and for the
> near-term,
> have decided to just not establish another.
> I have a couple of questions: First of all, if somebody, somewhere, has
> an
> encrypted folder (they all swear they don't, but I can't go poking around
> to
> make sure), will they lose access to their files or will their files
> simply
> become unencrypted when I decomission the CA?
If decommissions, and you have not maintained the KRA certificate and
private key or the DRA certificate and private key, they are out of luck.
Decommissioning a CA does not decrypt files.
> Secondly, when I look at issued certificates, I see some of my server -
> most
> notably, my DCs. I don't know exactly why they've requested certificates,
> but what will happen to them if I decomission the CA?
They will fail for LDAP/SSL connections. You should remove all of the DC
certs
certutil -dcinfo DELETEALL
>
> Thanks for any advice!
> Mark
|
|
Posted by =?Utf-8?B?anVzdG1hcms=?= on April 26, 2008, 9:09 am
If you were Registered and logged in, you could reply and use other advanced thread options
inline...
> If decommissions, and you have not maintained the KRA certificate and
> private key or the DRA certificate and private key, they are out of luck.
> Decommissioning a CA does not decrypt files.
Okay, then is there a way I can test this? For instance, can I stop a CA
service on the server to "simulate" removal of the CA? Something that I can
test and then if somebody screams (unlikely, but you never know), I can just
turn it back on and dig in further to help them get their stuff unencrypted?
> They will fail for LDAP/SSL connections. You should remove all of the DC
> certs
> certutil -dcinfo DELETEALL
Running this on the CA will remove them and I'll be okay?
Thanks for the help,
Mark
|
|
Posted by Brian Komar \(MVP\) on April 26, 2008, 1:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
ANd yes, you can run the command from the CA.
If there are multiple domains, the command must be run on one domain member
(does not have to be a CA) as a member of that domain for each domain
Brian
> "Brian Komar (MVP)" wrote:
>
> inline...
>
>> If decommissions, and you have not maintained the KRA certificate and
>> private key or the DRA certificate and private key, they are out of luck.
>> Decommissioning a CA does not decrypt files.
>
> Okay, then is there a way I can test this? For instance, can I stop a CA
> service on the server to "simulate" removal of the CA? Something that I
> can
> test and then if somebody screams (unlikely, but you never know), I can
> just
> turn it back on and dig in further to help them get their stuff
> unencrypted?
>
>
>> They will fail for LDAP/SSL connections. You should remove all of the DC
>> certs
>> certutil -dcinfo DELETEALL
>
> Running this on the CA will remove them and I'll be okay?
>
> Thanks for the help,
> Mark
|
|
Posted by =?Utf-8?B?anVzdG1hcms=?= on April 28, 2008, 9:54 am
If you were Registered and logged in, you could reply and use other advanced thread options
Mark
"Brian Komar (MVP)" wrote:
> You could just stop the service to simulate the removal.
> ANd yes, you can run the command from the CA.
> If there are multiple domains, the command must be run on one domain member
> (does not have to be a CA) as a member of that domain for each domain
> Brian
|
| Similar Threads | Posted | | Which certification authority to use | July 18, 2005, 4:02 pm |
| Microsoft Certification Authority | May 17, 2006, 1:03 pm |
| The certification authority denied the request. | October 11, 2005, 3:08 am |
| How to clean AD from enterprise certification authority | July 10, 2006, 4:53 pm |
| Certification Authority cannot use certificate template | June 12, 2007, 11:44 am |
| Certification Authority 0x8009480f error | April 25, 2008, 9:15 am |
| Certification Authority remote calls problem | February 10, 2006, 11:41 am |
| CISA Certification Practice Exam CD for sale | September 8, 2007, 6:50 pm |
| domain users added to local administrators cannot use the IPSEC certification of administrator? | February 9, 2006, 12:26 am |
| what type of certificate authority? | June 16, 2005, 4:08 pm |
|
XML site map