Identifying Use of Certificate Authority

Max Demajo 1 Reputation point
2022-02-02T14:57:40.143+00:00

I have recently been charged with migrating our old 2x Server 2008 Domain Controllers to Server 2019. One of the domain controllers have the Certificate Authority role installed, which I have never touched before this. The old admins who used to "maintain" all this have left the organization now. Unfortunately, I do not know why this CA was ever even deployed or what function it is supposed to serve within our network.

When exploring this installed CA, I can see that all the certificates under the 'Issued Certificates' section are expired by over half a year. The only Requester Names listed for these certificates are our existing DCs (again, all expired). Given that all of these certificates are expired, this gives me the impression that nothing in the network is actively dependent on this CA.

The ideal situation here would be deploying the new DCs without any Certificate Authority at all and decommissioning the old AD/CA (Although we do plan on deploying a CA again later on for RADIUS Wi-Fi).

My question here is, how can I ensure that this CA is currently not being used and can be safely decommissioned? Does all the certificates being expired 100% prove that this CA is currently useless and doing nothing?

We could migrate the CA role as well, but we would like to avoid this extra hassle if we can prove nothing is currently using it.

As a side note, we do have visibility on raw network traffic, so maybe there is something in particular we can look for within the packets that would indicate the CA is being used?

Thanks for your help

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,099 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
420 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
407 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,341 Reputation points
    2022-02-03T08:33:44.5+00:00

    Hello MaxDemajo,

    Initally to keep the status quo of the environment, the process to migrate a CA is simple:

    On the original server:

    Backup the CA
    Backup the CA registry key
    Uninstall the CA role

    On the destination server:

    Install the CA role
    Configure the CA
    Import the CA certificate
    Modify the exported registry key’s Server Name entry with the name of the new server
    Stop the CA Service
    Import the modified Registry Key
    Restore the CA database
    Start up the CA Service
    Back up the Certificate Authority
    Open up the Certification Authority application

    I am also recommending the next official guide from Microsoft: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments