Retiring Root CA

Retiring Root CA
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Retiring Root CA Polo 12-18-2006
Posted by =?Utf-8?B?UG9sbw==?= on December 18, 2006, 5:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi All,

We are retiring the root Enterprise CA located in a remote office and I had
created a Sub CA in our office pointing to the root. This Sub CA issues
certificates to our wireless clients via a RADIUS server. Now my question is
what do I need to do so that when the root is retired the Sub CA carries on
issung certificates to wirelss clients?

Many thanks
--
Regards
Polo

Posted by =?Utf-8?B?UG9sbw==?= on December 18, 2006, 10:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Just to add there is only the one enterprise root CA and 1 Subordinate CA.
--
Regards
Polo


"Polo" wrote:

> Hi All,
>
> We are retiring the root Enterprise CA located in a remote office and I had
> created a Sub CA in our office pointing to the root. This Sub CA issues
> certificates to our wireless clients via a RADIUS server. Now my question is
> what do I need to do so that when the root is retired the Sub CA carries on
> issung certificates to wirelss clients?
>
> Many thanks
> --
> Regards
> Polo

Posted by =?Utf-8?B?RGFuIEw=?= on December 19, 2006, 5:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Not an expert here, but I believe your organization is going to have to stand
up a new root CA and then you will have to establish trust for your subCA
with that new root.

"Polo" wrote:

> Just to add there is only the one enterprise root CA and 1 Subordinate CA.
> --
> Regards
> Polo
>
>
> "Polo" wrote:
>
> > Hi All,
> >
> > We are retiring the root Enterprise CA located in a remote office and I had
> > created a Sub CA in our office pointing to the root. This Sub CA issues
> > certificates to our wireless clients via a RADIUS server. Now my question is
> > what do I need to do so that when the root is retired the Sub CA carries on
> > issung certificates to wirelss clients?
> >
> > Many thanks
> > --
> > Regards
> > Polo

Posted by =?Utf-8?B?UG9sbw==?= on December 21, 2006, 12:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Just what I thought, not getting new hardware so may reconfigure the SubCA to
be the Root!!
All wireless clients will suffer some interuption though not sure how!
--
Regards
Polo


"Dan L" wrote:

> Not an expert here, but I believe your organization is going to have to stand
> up a new root CA and then you will have to establish trust for your subCA
> with that new root.
>
> "Polo" wrote:
>
> > Just to add there is only the one enterprise root CA and 1 Subordinate CA.
> > --
> > Regards
> > Polo
> >
> >
> > "Polo" wrote:
> >
> > > Hi All,
> > >
> > > We are retiring the root Enterprise CA located in a remote office and I
had
> > > created a Sub CA in our office pointing to the root. This Sub CA issues
> > > certificates to our wireless clients via a RADIUS server. Now my question
is
> > > what do I need to do so that when the root is retired the Sub CA carries
on
> > > issung certificates to wirelss clients?
> > >
> > > Many thanks
> > > --
> > > Regards
> > > Polo

Posted by Carsten Kinder [MSFT] on December 22, 2006, 2:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> Just what I thought, not getting new hardware so may reconfigure the SubCA
> to
> be the Root!!
> All wireless clients will suffer some interuption though not sure how!
There is no way to turn a subordinate CA into a root CA. However, from a
best practices approach you should keep a root and a subordinate issuing CA.

If you are decommissioning the root CA, make sure that you extend the
validity of the CRL so that clients can still verify the CRL that was issued
by the root. If you miss that step your clients will stop working when the
CRL from the root expires. Here is a brief action plan:

set up a new root
subordinate the current issuing CA to the new root
enroll new wireless certificates to all clients. These certificates will
chain to the new root and the renewed issuing CA certificates
make sure that the clients use the newly enrolled certificate. If required,
remove the client certificates that chain to the old root with CAPICOM
change the validity of the existing root that it is valid until the current
root CA certificate expires
make sure that the CRL distribution point is available for all clients until
the CRL from the current root expires
revoke the subordinate CA certificate at the current root.
publish a new CRL from your current root. If clients have not gotten a new
certificate that is signed by the renewed subordinate CA certificate, they
will fail here once they retrieve the updated CRL from the root
decommission the root CA in your branch office

http://support.microsoft.com/search/default.aspx?catalog=LCID%3D1033&spid=global&query=decommission+ca&adv=&mode=r&cat=False
gives you also some relevant KB articles.

If this is really business critical, you should have a test-environment
where you can exercise the procedure before performing it in your production
environment.

--
Carsten Kinder
Microsoft Services

This posting is provided "AS IS" with no warranties, and confers no rights.


Similar ThreadsPosted
Clients no longer pick up the Root CA as a trusted root authority June 6, 2006, 6:59 pm
Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs March 19, 2008, 1:45 am
Migrating from single enterprise root CA to different root CA May 11, 2007, 6:43 am
root ca December 1, 2005, 8:57 am
Root Ca on VM December 5, 2005, 10:23 am
Root CA on a VM December 13, 2007, 6:35 am
Root CA cannot publish to CRL December 19, 2005, 12:42 pm
Third-Party Root CA May 12, 2006, 1:57 pm
Root CA CRLs October 25, 2006, 1:35 pm
(2) Offline root CA or just (1) ? January 22, 2007, 12:26 pm

The site map in XML format XML site map

Contact Us | Privacy Policy