Setting up an additional Enterprise CA on my Domain

Joy Qiao 4,886 Reputation points Microsoft Employee
2020-07-14T09:38:23.487+00:00

I have a Microsoft Enterprise CA server running on Server 2012r2 on my domain (AD Certificate Services). The Certification Authority was migrated some years ago from an old Server 2013 box that was decommisioned.

The current CA uses SHA1 and needs moving to SHA256. having researched this, our current Cryptographic Provider is "Microsoft Strong Cryptographic Provider" I understand the process of moving toSHA256 involves backing up the current CA (inc Private key), deleting these keys, moving to SHA256 including restoring root CA certificates as per https://www.petenetlive.com/KB/Article/0001243

I have very limited knowledge of installing and managing CAs but I have fallen at the first hurdle as backing up the current CA will not allow backing up of the Private Key and CA Cert (message "windows cannot backup one or more private keys because the csp does not support key export").

I have seen suggestions in some posts that it would be easier to create a new Enterprise CA and migrate services towards this over a period of time and then decomission the older CA.

Does anyone have a view on this? In particular can AD have multiple CAs in the same domain and presumably each CA would need to be on a different server. Would a newly installed CA by default be based on SHA256? What would be the correct sequence to set up new CA, re-point my hosts etc. My Certificate policy templates are published in "Active Directory enrollment Policy" . Is what I am proposing possible as I would potentially have different certificate templates for each CA?

Thread source link: https://social.technet.microsoft.com/Forums/windowsserver/en-US/b86eddec-0d2c-4445-809e-f8d6ef05dfce/setting-up-an-additional-enterprise-ca-on-my-domain?forum=winserver8setup

Windows Server Setup
Windows Server Setup
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
241 questions
0 comments
Accepted answer
  1. Sylvia Chen (Shanghai Wicresoft Co,.Ltd.) 1,501 Reputation points
    2020-07-14T09:43:46.177+00:00

    Hi,

    Welcome to our new Microsoft Q&A Platform.

    If this is not available do you think a new CA is the way forward?
    A:Yes, if it is not available, we should set up a new CA structure.

    Any new CA would be based on Server 2012R2. Would I have the option of selecting SHA256 during the CA Configuration?
    A:Yes,there is option we can choose during we configuration below.
    12054-image.png

    Reference:
    ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
    https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

    Best Regards,

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest