Migrate standalone root CA to enterprise root CA

Similar Messages

• Issues with running Server 2012R2 Essentials as an Offline Standalone Root CA?

  Hi everyone,
     I've searched this forum as well as Google and have not been able to find any concrete answers so I am hoping one of you experts will be able to assist me.  
     I have an all Windows 2008 server/domain enviroment.   I was looking at implementing a two-tier PKI with an offline, standalone root CA and an enterprise issuing CA (2008 member server).   Budgets are tight so I was hoping
  I could get away with using Server 2012R2 Essentials as the offline standalone root.  
     It is my understanding that 2012 Essentials is configured as a DC by default and needs to remain that way per licensing.   I know the recommended configuration for an offline root would be to have the server be in a workgroup and not
  on a domain.
     So question 1 is will 2012 Essentials work as an offline standalone root?
     Question 2 is will there be any issues with it running as described?   In other words will the fact that it is the sole DC in its own domain cause issues with its use as an offline root?  
     Thank you in advance for your help!

  The essentials experience role runs on server standard and is very different from the essentials product in both licensing and pricing. While you can indeed buy standard and deploy the essentials experience role as a "standalone" server, there
  would be ZERO benefit in a PKI offline root scenario the essentials role has no automation or configuration options in the dashboard for that use case, and pricing, you'd still be paying for server standard.
   The essentials product (or SKU) has the benefit of reduced cost, but cannot be deployed standalone and has enough other restrictions that it is not well suited for the given desired use.
  So either way, my answer stands. Essentials (prodct it role) is not the right tool for the job in this case.

• Migrate from ISA 2006 SP1 Enterprise Edition to TMG

  Hi,
  I want to migrate the ISA 2006 SP1 Enterprise Edition to TMG but some of the posts are saying that it is not supported you can not do that? Is there some one who can help me regarding this that is it possible to migrate. I saw technet which only mensions
  the standard edition support and there is nothing about ISA 2006 enterprise edition even in isaserver.org i read that migration from ISA Enterprise edition is not supported. My ISA server is a standalone server.
  Regards,
  Salahuddin Khatri
  SKHATRI

  Hi All,
  Thank you for your replies, so following is what i have done
  I have ISA 2006 SP2 Enterprise Edition Standalone server but still you will see Array and Enterprise
  1. Export ISA configuration from top of the console do not export it from Enterprise neither from Array you have to export it from the top one.
  2. download and install EESingleServerConversionPack.exe, you can install it on your own machine then navigate to the directory where you have installed EESingleServerConversionPack.exe and run the command EESingleServerConversionPack.exe /s <path of
  the sourcefile> /t <path of the targetfile> Note: If you have named ISA configuration file with space in the command do not include space.
  3. Install TMG export certificates from ISA server and import them in to TMG Server
  4. In my scenario ISA was acting as a back end firewall but the template was selected as Edge firewall so i have to correct this template in TMG that is why before importing configuration run the getting started wizard for the network and select the back
  end firewall template once finished do not proceed further for more 2 optins click close
  5. Import ISA configuration in to TMG
  6. in my case ISA was having a network which was bound to DMZ NIC but once  you import you will also find the same named network in TMG which was in ISA. but it will not bind with any network card.
  7. in my case i have to use the same network range which i was using in ISA so once you import the ISA configuration in TMG you will get the error that IP already exists in TMG and rule can not be imported that is why first i had to use different network
  range in parameter network and import was successfull
  8. remove IPs from the network of TMG which was imported or came from ISA
  9. Give the same network range to the perameter network and same IP ISA IP to DMZ NIC but do not connect that NIC to DMZ switch connect it with your enterprise otherwise you will not be able to proceed and why enterprise network because you will change the
  network on web litseners and other rules from ISA network to TMG (Perameter network)
  10. change all web litseners and proxy or other rules which contains ISA network and replace it with parameter network.
  11. Delete the network from TMG which was imported or came from ISA if you will get error that means it is still being used in some rules
  12. compare each and every thing between ISA and TMG
  13. Shutdown ISA server and plug in the TMG DMZ NIC in to the DMZ switch test the rules from outside and inside.
  it worked for me like a charm.
  Regards,
  SKHATRI

• Migrating Standalone Grid Infrastructure Servers to a Cluster 11.2.0.1 Linux 5.9

  Hey guys! Hope you all are doing good
  I am kinda confused migrating my 11.2.0.1 Oracle Restart installation to a RAC two node (aim is to add a second node along with migrating the existing one to the cluster pool).
  Running on OEL 5.9 x86_64
  I see that we can switch the RAC mode from 'off' to 'on' and use the existing clusterware binaries. I am trying to follow the below Oracle documentation for linux
  6.2 Migrating Standalone Grid Infrastructure Servers to a Cluster
  http://docs.oracle.com/cd/E11882_01/install.112/e41961/rem_orcl.htm#CWLIN347
  In this document, I have completed step 5 which is de-configuring Oracle Restart. All smooth.
  The problem starts here. Next step 6 says
  Prepare the server for Oracle Clusterware configuration, as described in this document. In addition, choose if you want to install Oracle Grid Infrastructure for a Cluster in the same location as Oracle Restart, or in a different location:
  You would have noticed that there's a note which says that the process uses config wizard which is available with rel 11.2.0.2 or later. Mine's 11.2.0.1.
  From the doc
  Note:
  This procedure uses Oracle Clusterware Configuration Wizard, available with release 11.2.0.2 and later.
  So how do I proceed from here? Can the existing binaries be used? If yes, how? Can't find much information. Thanks for your valuable time.
  I hope I am not missing anything..
  Warm Regards
  Abhishek

  Hello,
  Then why to they say for example here the following:
  The Oracle GSD (Global Service Daemon) process, ora.gsd, is typically offline. You must enable Oracle GSD manually if you plan to use an Oracle 9i Real Application Clusters database on the Oracle Clusterware 11g release 2 (11.2) cluster.
  ???

• Migration from Compensation Mgmt to Enterprise Compensation

  Hi all,
  have you done migration from the compensation to enterprise compensation ?
  In the help document , it states "for more info, see also the related section in the release note of Enterprise Compensation Mgmt ". 
  Could anyone point me to that place ?  I can't find it.
  Thanks so much.
  Brgds,
  SP

  What version are you on? ECM was introduces in 47 ext2 & this is the <a href="http://help.sap.com/saphelp_47x200/helpdata/en/2d/193bb5928881479cad1557aa5bc6b8/content.htm">Release Note.</a> for it. As far as I know, the config for ECM has to be done from scratch, don't know if you can migrate from CM to ECM.. may be the Budgeting part.. but the Admin part like the review,plans,items etc have to be redone.. three new infotypes have been introduced.. but I believe CM & ECM can co-exist..
  ~Suresh

• Direct Access Migration of Root CA

  We have a Domain Controller "DC01" which has the Enterprise Certificate Services role installed and the CA on this Domain Controller is named "DC01"
  The CDP location on the CA "DC01" is <servername> so effectively it's LDAP://DC01 (only LDAP is published on the certificates, no http etc.)
  The CA "DC01" issues the version1 "Computer" certificates with AutoEnrollment to all clients and all our internal clients and external clients have a "Computer" certificate from CA "DC01"
  Now we have an UAG SP3 server with Direct Access and all our clients connect successfull with Direct Access as it's setup now
  In the UAG configuration (wizard) on the IPsec Certificate Authentication screen on the option "Use a certificate from a trusted root CA" the "DC01" Root CA certificate is selected
  As Microsoft best-practises we want to move the Enterprise Certificate Services to a new member server "CS01" and effectively create a new Root CA "CS01"
  As we use the version1 "Computer" certificate template we cannot select "reenroll all certificate holders"
  so idea is to duplicate the "Computer" certificate template as a v2 template that supersedes the version1 computer template, this effectively replaces all current Computer certificates based on the old v1 computer template on clients.
  Then all clients get a new "Computer" certificate from the new Root CA but in the UAG Direct Access configuration the "IPsec Certificate Authentication" "Use a certificate from a trusted root CA" the old "DC01" Root CA
  certificate is still selected
  Question1; will this lock out clients that have a new Computer certificate from the new Root CA but the UAG Direct Access configuration still use the Root CA certificate from the old DC01 CA?
  Another idea is NOT to supersede the the version1 Computer certificate but AutoEnroll the new v2 duplicated Computer template.
  This means that clients will have a Computer certificate from the old CA "DC01" but also a Computer certificate from the new CA "CS1"
  Question2; can a client have 2 computer certificates (1 from old DC01 ca and 1 from new CS01 ca) and connect Direct Access and will this still work?

  Yes, the clients will still connect with two different certificates. I haven't had your exact situation before, but I have had to deal with a CA server that died, and we had to replace it with a new one. We stood up a new CA, issued "Computer"
  certificates again from the new CA (the old certs still existed on all the client computers) - and then switched the UAG settings over to the new root CA. This worked.
  I do recommend deleting the old certificates from the client computers if possible, so that there is no potential for conflict down the road, but the above scenario worked fine for us and I have also worked with numerous companies that have multiple machine-type
  certificates on their client computers and as long as they have one which meets the DA criteria and chains up to the CA that is active in the UAG config, it'll build tunnels.

• Migrate standalone Essbase Users/groups

  Hi,
  Can you please walk me through the steps required to migrate the standalone essbase application users/groups beween environments.
  As i know the migration wizard does not allow users/groups to migrate when security is in Shared Services mode. Please help.
  Thanks,
  Pr

  There are a few things you left off:
  1) v11 or before
  2) Shared Services or not externalized
  If #1, then check out LCM -- it is awesome and will be the answer to your prayers.
  If #2, and Shared Services, you need to look at the Shared Services import/export utility to get groups out, and move them to your new target.
  If #2, and non-externalized security, MaxL can create the groups/user security you need at the target.
  Regards,
  Cameron Lackpour

• For migration/upgradation of MOSS 2007 enterprise to Sharepoint 2013 System specification for new environment.

  We have an installation of MOSS 2007 enterprise in production right now with sql server 2008 SP3 and Nintex workflow 7.
  We need to migrate and upgrade to Sharepoint 2013. What system specifications we need to upgrade to sharepoint 2010 and sharepoint 2013.

  A third party tool carries the advantages of being free of infrastructure requirements.  If you don't have the budget for this, than you'll need to "double-hop" from SharePoint 2007 into SharePoint 2010 and then onto 2013.
  The jump from 2007 to 2010 is likely to be the most painful.  As John mentions any customisations and third party additions to your MOSS farm will need to be addressed as well.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• Papi standalone to communicate with enterprise

  Could anyone let me know whether we can write a standalone papi client from windows environment to communicate with enterprise 10gr3 bpm deployed in wls server in unix environment?
  I have written standalone papi client to communicate with enterprise 10gr3 bpm deployed in wls server in unix environment. I got the below error. Thanks in advance.
  I have added respective directory.xml and engine.properties.
  fuego.connector.ConnectorException: Connector [__internal__:J2EE:LOCAL_J2EE] caused an exception when getting a resource of type [1].
  Detail:Connector [__internal__:J2EE:LOCAL_J2EE] caused an exception when getting a resource of type [1].
  at fuego.connector.ConnectorException.exceptionOnGetResource(ConnectorException.java:95)
  at fuego.connector.ConnectorTransaction.getResource(ConnectorTransaction.java:324)
  at fuego.connector.ConnectorTransaction.getResource(ConnectorTransaction.java:298)
  at fuego.connector.J2EEHelper.getContext(J2EEHelper.java:35)
  at fuego.connector.impl.BaseRemoteConnector.getContext(BaseRemoteConnector.java:89)
  at fuego.connector.impl.BaseRemoteConnector.getReferencedObject(BaseRemoteConnector.java:114)
  at fuego.connector.impl.BaseRemoteConnector.getReferencedObject(BaseRemoteConnector.java:107)
  at fuego.connector.impl.RemoteJDBCConnector.getConnection(RemoteJDBCConnector.java:75)
  at fuego.connector.impl.RemoteJDBCConnector.getConnection(RemoteJDBCConnector.java:64)
  at fuego.connector.impl.RemoteJDBCConnector.getResource(RemoteJDBCConnector.java:147)
  at fuego.connector.ConnectorTransaction.getResource(ConnectorTransaction.java:319)
  at fuego.connector.ConnectorTransaction.getResource(ConnectorTransaction.java:298)
  at fuego.directory.jdbc.JDBCConnectionProvider.getEntry(JDBCConnectionProvider.java:75)
  at fuego.directory.jdbc.JDBCConnectionProvider.getEntry(JDBCConnectionProvider.java:34)
  at fuego.directory.provider.jdbc.JDBCPersistenceManager.getConnection(JDBCPersistenceManager.java:443)
  at fuego.directory.provider.jdbc.JDBCPersistenceManager.checkConnectivity(JDBCPersistenceManager.java:91)
  at fuego.directory.provider.DirectorySessionImpl.connect(DirectorySessionImpl.java:242)
  at fuego.directory.provider.Factory.startSession(Factory.java:405)
  at fuego.directory.provider.jdbc.j2ee.RemoteJdbcDirectoryFactory.startSession(RemoteJdbcDirectoryFactory.java:122)
  at fuego.directory.Directory.startAnonymousSession(Directory.java:214)
  at fuego.papi.impl.ProcessServiceFactoryImpl.obtainSchemaId(ProcessServiceFactoryImpl.java:200)
  at fuego.papi.impl.ProcessServiceFactoryImpl.create(ProcessServiceFactoryImpl.java:75)
  at fuego.papi.impl.ProcessServiceFactoryImpl.create(ProcessServiceFactoryImpl.java:63)
  at fuego.papi.ProcessService.create(ProcessService.java:335)

  My error was resolved with correct directory.xml. Thanks.

• Existing two-tier enterprise online to two tier, root offline

  I have went through many standalone to two tier discussions/forums, but found nothing conclusive on this topic.
  I have inherited a online two tier architecture, and would like to implement some best practice work:
  first step is to place the root CA offline. Based on what I have read I can do that by backing up current enterprise online root CA.
  Then to install new root standalone CA on virtual box (switching to virtual) and use the onlines public key and same hostname to install the standalone. Make sure CRLs are placed on reachable network drive and so on...
  The issuing CA will be the same. Nothing will change...other than adding additional later on.
  Did I get this correct? Or will I have to reissue the root CA and have it be trusted on all firewalls/load ballancer, ect and reissue? Also we are pushing to two factor authentication with AD and cert based and I need to make sure I have my back-end ready. 
  If i go early ahead and implement user cert templates with current architecture, can I take root offline later and everything still will be in tact?

  In a properly deployed PKI, the offline root CA is offline from build time. You should not be converting an enterprise root CA to a standalone root CA (how do you guarantee that the private key was not compromised prior to transition).
  There is no way this would pass any form of audit (for example).
  It sounds like you are early in the process, I recommend that you start over again and do it with a proper offline root CA.
  Follow the steps in this link: http://technet.microsoft.com/en-us/library/hh831348.aspx
  Brian

• How to offline an Enterprise Root CA

  For internal PKI, I'm a big fan of using Enterprise vs. Stand-alone, for simplicity and ease of management. The problem is, I just can't find definitive answers on how to properly offline it. Most people say to not bother, and their justifications
  are vague and nebulous. My Enterprise CAs are NOT DCs. I've given this a lot of thought, and these are the things I think need to be considered...
  If you take the Enterprise root CA offline, you'll need to consider three things:
  1. Change the Enterprise root CA's CRL publication interval to be longer than the periods for which the Enterprise root CA will be offline, and also probably disable delta CRLs on the Enterprise root CA for simplicity and ease of management. When you do
  boot the Enterprise root CA, be sure to publish a new CRL from it into AD.
  2. Make sure the Enterprise root CA isn't needed for anything but:
   a. The initial, one-time loading of the root certificate into AD for automatic distribution to clients by ADDS.
   b. Creating certificates for the subordinate/issuing CAs.
   c. Publishing the Enterprise root CA's CRL to AD for reading by the clients.
  Is there anything else the Enterprise root CA needs to be online for?
  3. By default, every computer account password expires every 30 days. This won't be a problem because when you boot the Enterprise root CA, it'll just change its computer account password if it has expired.
  So, having said all of that, should I offline the Enterprise root CA? If not, why?

  On Mon, 17 Feb 2014 08:14:20 +0000, Daniel L. Benway wrote:
  The real question is whether or not I can or should shut down the Enterprise root CA after it has published the root certificate to AD, after I've created the sub/issuing CAs, and after I've published the root CA's CRLs to AD and changed the root
  CA's CRL intervals to appropriate values.
  Brian did answer your question. A PKI is all about trust, and the root of
  that trust is the private key material of the root CA. The reason one
  deploys a standalone, offline root CA in the first place to is to reduce
  the possibility of an attack against the root CA's key material and the
  accepted method to reduce that attack surface is to ensure that the root CA
  is never attached to a network. That does not mean attach it to the
  network for a while and then periodically afterwards, never means
  never. The minute you attach the root CA to a network, you've reduced the
  trust level and once a trust level is reduced, it cannot be increased
  without redeploying.
  Brian and I have both seen the argument that an offline Enterprise root is
  easier to manage than an offline Standalone root and in practice, that
  simply isn't the case:
  1. Publishing the root CA certificate and CRL of an Enterprise root is, as
  you point out, automatic, however, transferring the certificate and CRL via
  removable media and then using certutil, given the infrequency of those
  operations is a trivial procedure. Operationally you gain very little by
  using an Enterprise root here, and taking advantage of the automatic
  publication requires that the root be put on the network which defeats the
  purpose of keeping it permanently offline in the first place.
  2. Since the only certificates that a root should be issuing are for SubCAs
  the advantage you get with an Enterprise root being able to use certificate
  templates is pointless.
  3. Any management functions or benefits you may be able to realize by
  having the root joined to AD are obviated by the fact that you're planning
  on having it offline and disconnected in the first place.
  The bottom line here is that any perceived advantage of having a offline
  root being an Enterprise CA as opposed to a Standalone root is defeated by
  the simple fact of having it attached to the network at any point in its
  lifetime. Security and trust trump ease of management in this case and as I've pointed out the actual ease of management versus the perceived ease of management is minimal at best.
  Paul Adare - FIM CM MVP
  Minds are like paragliders. They work best when open.

• How to edit SubCA duration on a Standalone AD Root CA?

  I have a standalone Root CA built on 20012 R2 and also built a separate standalone Subordinate CA on 2012 R2. I have set the Root CA duration to 20 years and now want the Root CA to sign the Sub CA request file. I have done it successfully, but
  the duration of the Sub CA cert is only one year. Is it possible to make a change somewhere on the standalone Root CA so that the Sub CA has a duration for, say 15 years, when it is signed by the standalone Root CA? 

  At first, I wouldn't make any CA with validity longer than 10 years without a reason. Technologies now changes rapidly and it is unlikely that CA certificate will live more than 10 years with current settings.
  I'm assuming, root CA is Standalone CA, then on root CA you need to run the following command:
  certutil -setreg ca\validityperiodunits 15
  net stop certsvc && net start certsvc
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• Migrating root CA from 2003 to 2012 R2

  Hi all, I have a couple of questions about migrating a root certificate authority from Server 2003 to Server 2012 R2.  I've been reading the following link which is pretty comprehensive except for a couple of small things....
  technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
  1) I would like to use a different server name, which seems fairly straight forward with some changes to the registry on the destination server.  I understand though, and can see, that all certificates currently issued by the CA have a CRL Distribution
  Point of ldap:// CN=<<name of CA>>,CN=<<name-of-current-server>>,DN=CDP,CN=Public Key.
  It's the CN=<<name of current server>> part that bothers me.  Will revocation checks still work if the name of the CA server changes - ie. will it still work on account of the <<name of CA>> part remaining the same?
  2) I read something about issues going from a 32bit platform to a 64bit platform - is that applicable for in place upgrades only, or something I should be considering during the migration process?
  Thanks

  Hi,
  The computer name, (hostname or NetBIOS name), does not have to match that of the original CA. However, the destination CA name must match that of the source CA. Further, the destination CA name must not be identical to the destination computer name.
  Please go through the below article to do CA migration:
  Active Directory Certificate Services Migration Guide for Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn486797.aspx
  Hope this helps.
  Regards,
  Yan Li
  Regards, Yan Li

• Migrating root file systems

  I've googled around for this a bit, and searched the forums, but haven't quite found what I thought was a good guide for migrating my root filesystem. I've about decided I want to get off reiserfs; move over to ext3 (with the idea of upgrading ext4 later, I suppose). Is there a simple howto on accomplishing this? I run my system on top of LVM, so it's no big deal to create a new logical volume for the new root; I guess I'm just looking for the cp or tar incantation that will copy the appropriate data over, and avoid copying stuff like /dev that I don't imagine should be copied...

  I think this sort of thing might be safer using a live cd, then you don't have to worry about these special directories. Just 'cp -a'. So far as I know you still need a few entries in /dev (which this method will preserve), and don't forget to adjust grub and /etc/fstab.

• ADCS - ROOT CA domain member ?

  Hello,
  I have installed a RootCA(Standalone) and SubCA(Enterprise) in my company and all its working well.
  But, I just see that is not recommended to have ROOTCA as domain member. How can I do to fix that ?
  (Is it a real problem ?)
  Thank you,

  On Wed, 5 Feb 2014 09:18:09 +0000, stickman93400 wrote:
  I finally decommissioned my ADCS servers by following this walk through :
  http//social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
  First of all, it is kind of unfortunate that you went through this exercise
  as it really wasn't necessary. Given the fact that you'd initially
  installed your root as a Standalone root, you could have simply followed
  one of the migration guides whereby you simply back up all of the AD CS
  related stuff (database, logs, private key, registry templates published at
  the CA), remove the AD CS role, remove the computer from the domain,
  reinstall and configure the role using the same certificate and private,
  restore the database and everything else.
  But I was unable to do step 5 : part 3 and 4 and the command line *ldifde -r "cn=<var>CACommonName</var>"*(off course  I put my CACommonName and my AD configuration).
  We can't help you with this unless you're more specific. What was the exact
  command line you used? What error or errors were reported when you ran the
  commands?
  And I have not done step 9, I was scared. Can "certutil -dcinfo deleteBad"cause trouble ? Do I need to do it on all my DC ?
  No, it won't cause trouble and needs to be done. If you don't do this you
  will have trouble as your DCs won't get certificates from your new PKI as
  long as their existing certificates are still time valid. You do not need
  to run it on all your DCs, in fact, it doesn't need to be run on a DC at
  all, it just needs to be run on a domain joined computer.
  Paul Adare - FIM CM MVP
  "High fat emulsified offal tube", thank y'very much. -- Lionel about
  sausage