Deploy new certificates before revoking old ones

-

i'm deploying new ca.  during migration i'd make sure has new certs before revoke old ca's certs.  wanted make sure work.

i want make transition seemless of our users.  hoping "reenroll" new server without removing old ones.  work or maybe creating new template?

i not completelly sure want do:

say have oldca. has own signing oldcacert. , say, installing newca , understand using different newcacert signing new certificates.

and understand there users using certificates issued , signed oldcacert.

once revoke oldca, certificates signed oldcacert automatically invalid well. solution enroll users newca.

i go way:

a) install newca newcacert

b) remove certificate templates oldca

c) configure newca issue same templates oldca

d) select reenroll certificate holders on required certificate templates

e) leave oldca operational until either sure issued certificates expired or users have new alternative

f) consider whether must revoke oldcacert. think making crl publication interval long enough go on validity, published it and stop service.

ondrej.



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Schannel Issue

-
hello there, i have windows 2008 r2 machine. , have hosted sharepoint 2010 on it. i have site have published on internet. i don't know whether it's related , getting error unable resolve or come conclusion. it's pretty frequent. my server patched latest updates. log name:      system source:        schannel date:          8/12/2011 3:49:43 pm event id:      36887 task category: none level:         error keywords:      user:          system computer:      mycomp.domain.com description: following fatal alert received: 42.   the above error doesn't provide info . could please me identify issue , possible solution ? there have been lot of posts one. i believe can safely ignored...
Read more

Indexing Server

-
just quick question - 2008 have indexing server? can't see option - , want setup web based search engine using indexing server catalogs , asp.net....   it availble? does not based on - http://technet2.microsoft.com/windowsserver2008/en/library/82bac070-bee4-452e-a783-3ce31b5e1d0f1033.mspx?mfr=true Windows Server  >  Management
Read more

oclist /xml or /?

-
oclist have qualifiers? can behaviour changed, example output xml?   given previous comments andrew m , comments in forums , blogs think answer no, it’s simple app calling underlying api, thought i'd ask can't seem find anything.   why asking question? i'd @ least 2 things oclist (apart nicer looking output [which i'm not going get], dependances listed [dicussed in forum , ruled out], , refrushing add ad componets , telling use dcpromo [which in banner know]): - whether installing component cuase / require reboot (currently believe qwave , printing services require reboot)   - xml output, can't justify team looking see if can commality with full server   fwiw :j   hi,   oclist not have qualifiers or ways change output. when iis came in late, make oclist output longer, unfortunately late make significant changes.   i'll take feedback , add our list next version.   thanks,   andrew   ...
Read more