question

Ivarious-9509 avatar image
0 Votes"
Ivarious-9509 asked Ivarious-9509 commented

Move to new CA

Hi,

We have a Certificate Authority that we would like to migrate. Current OS: Windows Server 2012R2
Would like to migrate the CA to the new VM with Windows Server 2019. But with the export of the CA we have following error: 'Windows cannot back up one or more private keys because the CSP does niet support key export".

The certs are only issued to clients and servers. (Computer (machine), Domain Controller Authentication, Kerberos Authentication)

  • I installed the CA role on the new Server 2019 machine and configured a new root CA.

  • I removed the certificate templates from the old CA server.

I see that new clients are getting the certs from the new CA server. Is there a way where we can force the clients with certs from the old CA to renew this so they receive also a new cert from the new CA? Or do we simply need to wait when the old certs are expired?

Would like to know when we can fully uninstall the old cert server.

Thanks in advance!





windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you using autoenrollment to distribute computer certificates?

0 Votes 0 ·

By GPO they have set the following in the Default Domain Policy;

Automatic certificate management - Enabled
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates - Enabled
Update and manage certificates that use certificate templates from Active Directory - Enabled

Automatic Certificate Request:
Computer
Enrollment Agent (Computer)

0 Votes 0 ·

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Ivarious-9509 commented

Hi there,

If clients are using v2 or newer templates, this can be done at the template level. But doing this will trigger all clients to renew early. In the GPO setting where you enabled Auto-Enrollment, did you also check the optional box "Upgrade certificates that use templates"? If so, then in the certtmpl.msc interface, right-click the template you want clients to renew, and select "Reenroll all existing certificate holders".

Make sure the template is only available on the new CA (removed from the old) otherwise the enrollment will randomly choose the CAs to use.

You can also follow the steps as per the thread https://social.technet.microsoft.com/Forums/en-US/23a990ed-6c07-4948-acf1-54aaca82e2d1/force-windows-machines-to-reenroll?forum=winserversecurity



If the reply is helpful, please Upvote and Accept it as an answer

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Excuse me for the late reply (had a few weeks off..)

Thank you for your helpful information!

I have the GPO setting for 'Update certificates that use templates' on. Only my certificate template is schema version 1 and not 2. Is there a way I can upgrade this or so?

My steps now:
1. Install new Windows Server 2019 VM with CA roles installed
2. Create new RootCA
3. Delete the certificate templates from the old CA
(Computers should now renew and request certs from the new CA).

  1. Find a way to 'force' current clients to renew certificates.


If there are any options to maybe 'upgrade' the cert schema version please let me know.
Thanks in advance!



0 Votes 0 ·