Migrating a subordinate Server 2003 CA

Just as is the case with a root CA, depending on your configuration, migrating a subordinate CA running Server 2003 can be straightforward or rather complicated.

As mentioned in the previous post, the trick around CAs is that the certificates they issue are very dependent on the name of the CA being constant. It isn’t like a file server where you can move the files and just point everyone at the new share. If anyone is still using the certificates that the CA issued, then they are going to still need access to the CRL distribution point at a minimum. The CRL point is defined when the certificate is issued. Unless you’ve been planning moving your CRL distribution point for some time (and if you were good at planning, you probably wouldn’t be running Server 2003 at this point) they likely point right at the computer that you want to migrate.

CRL distribution points need to be available, because clients perform checks against them when they consume a certificate to verify that it hasn’t been revoked. If you take a CRL distribution point offline, or change its address so that the client can’t find it, the certificate will be treated as invalid.

In the best of all worlds, you alter the properties of the CA some time before you perform the migration, giving yourself a chance to update certificates to point to a CRL distribution point that is in a separate location. That way, you can take the CA offline without causing problems for revocation checks.

As mentioned in the previous post, the steps involved in migrating a CA are as follows:

As I mentioned here and in the last post, this is pretty high level. You can get a better feel for the procedure at the following web page https://technet.microsoft.com/en-us/library/ee126140%28v=ws.10%29.aspx