Hi Samna,
Thanks for the post.
what is the main purpose of CA in your environment ? to issue cert to internal applications ? some org might have the CA but actually doesn't use. Hence asking. :)
Considering the fact that security-wise, the Root CA would be in the cloud and exposed compared to the on-prem physical machine, should change to one Tier instead? Is that even an option for our setup? If so, do you know a step-by-step document?
Still its recommended to go with two tier setup. I have done the CA in hybrid model. where inoffline ca kept in on-prem hyper-v secured. Not tried with azure VM. but it should be possible while keeping in the disconnected state or with tighter NSG / firewall rules.
We would have different names and IPs in Azure, but reading the MS documents, it appears the names and IPs can be different, just wanted to know if anyone has performed the migration with new names and IPs.?
Just keep the CA name retaining IP and hostname/IP can be changed. You also need to take the registry backup and restore for CRL and stuffs.
Is there an up-to-date, reliable step-by-step document when it comes to two-tier migration? we can see some older documents that are applicable to the 2012 Server not newer versions
I have used this link. Have a look:
https://www.petenetlive.com/KB/Article/0001473