Windows Server - renew root ca to extend validity period

Asked By ritchie1230

25-Jan-10 12:48 PM

Hello,

I have a w2003 standalone root ca ( 2 enterprise issuing ca's) I want
to renew the root ca to extend the validity period from 5 to 10 years.
I have configured the CAPolicy.inf file similar to below:


[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
[CRLDistributionPoint]
Empty=True
[AuthorityInformationAccess]
Empty=True

I intend to renew with the same key pair. The root ca is approximately
2.5 years into its 5 year validity period.

My question is this: In looking at the properties of the root ca -
under the extensions tab, there are ldap and http entries under both
CDP and AIA areas.

Under AIA - ldap - Include in the AIA extension of issued certificates
is checked
Under AIA - http - Include in the AIA extension of issued certificates
is checked

Under CDP - ldap - Include in all CRLs. Specifies where to publish in
the Active Directory when publishing manually is checked
Include in the CDP extension of issued certificates is checked

Under CDP - http - Include in the CDP extension of issued certificates
is checked

Can these entries remain there while I renew the root ca certificate
or should they be removed? My concern is that if I renew the root ca
while these entries are in place is that when I publish the renewed
root ca certificate to active directory that these entries will try to
resolve and cause errors.

Please let me know if I need to provide additional detail

Regards,

Ritchie

Windows Server Security Discussions

Active Directory
(1)

CRLDistributionPoint
(1)

RenewalValidityPeriodUnits
(1)

AuthorityInformationAccess
(1)

RenewalValidityPeriod
(1)

RenewalKeyLength
(1)

Specifies
(1)

Certsrv
(1)

Stardust replied to ritchie1230

29-Jan-10 04:32 PM

I guess it should be alright if you renewing with the same key pair. If you
are renewing with a new key pair then the values you put in the AIA and CDP
extensions become important. If you did not put the suffix in the AIA and CDP,
the CA will publish its new CDP to the same location as the old one. In this
case, the applications that come to collect the old CRL expect it to be
signed by the old CA cert - instead they will find that the signature is now
from a new CA Cert and they will fail. However, if you have the suffix
properly in the CDP then then the new CRL will go to http:\\foo(1).crl which
is the new CA CRL. And in the new certificates issued by this new CA cert,
the CRL will be put in the certs as http:\\foo(1).crl.

I hope you have a test environment parallel to the production environment.
You could test it there.

Previous Discussion: User account locked out without explanation

SBS Migration to Server 2003 STANDARD Windows Server

http: / / forums.techarena.in Windows Server SBS Discussions SQL Server (1) Exchange Server 2003 (1) Active Directory (1) Exchange Server (1) Error (1) Translation (1) Privileges (1) Catalog (1) You cannot just First, on a technical level, there is no such thing as a "PDC" in an Active Directory domain. That was an NT4 concept long since dead. Secondly, you are mistaken that other is the results for dcdiag on the NEW Server (Server 2008) C: \ Users \ NCraig> dcdiag Directory Server Diagnosis Performing initial setup: Trying to find home server. . . Home Server = THEGIANTNUT * Identified AD test MachineAccount Starting test: NCSecDesc Error NT AUTHORITY \ ENTERPRISE DOMAIN CONTROLLERS does not have Replicating Directory Changes In Filtered Set access rights for the naming context: DC = ForestDnsZones, DC = tristatefast, DC = local Error NT AUTHORITY \ ENTERPRISE DOMAIN CONTROLLERS does not have Replicating Directory Changes In Filtered Set access rights for the naming context: DC = DomainDnsZones, DC = tristatefast, DC link to error / warning / info id 3703 Network Connectivity Completed Server names resolve correctly Completed Active Directory is connected to all domain controllers Completed Remote WMI access is enabled on servers

Copying or merging local and domain profiles Windows Server

changed the ProfileImagePath registry key of a new local account to point to the home directory of the domain account I cannot log into. On rebooting I found I could no Profile: http: / / forums.techarena.in / members / 50480.htm View this thread: http: / / forums.techarena.in / active-directory / 1345292.htm http: / / forums.techarena.in Windows Server Active Directory Discussions Windows Vista (1) Outlook 2003 (1) Outlook 2007 (1) Windows 7 (1) Outlook (1 Profile: http: / / forums.techarena.in / members / 50480.htm View this thread: http: / / forums.techarena.in / active-directory / 1345292.htm http: / / forums.techarena.in Ok, first, Desktop CAN be copied that way, except so others can tell you if its save executing it :) 1) On which harddrive the directory "Users" is saved? (normally C:) 2) Whats the directory name for your old useraccount? (look

Move ADAM directory partition from 2003 srv 32-bit to 2008 64-bit? Windows Server

Move ADAM directory partition from 2003 srv 32-bit to 2008 64-bit? Windows Server We are trying 2003 server to 2008. What is the best practice for moving an AD LDS (ADAM) directory partition from 2003 server to 2008, maybe someone can point me in the right direction turn off the original server we get referral error when trying to contact 2008 server directory partition. Thanks Johan P ADSI Discussions Windows Server 2003 (1) Active Directory (1) Error (1) Decimal (1) Bit (1) Control (1) Site (1) Install (1) Tried the 2003-> 2003. . On 2008 R2 server, when trying to create a replica of an ADAM directory partition from a ADAM instance in a 2003 server I can select the server and what credentials I should provide and where ??? Or why this dont work ? Thanks Error message: Active Directory Lightweight Directory Services could not create the NTDS Settings object for this Active Directory Lightweight

Self- Service Password Reset For Active Directory Windows Server

Self- Service Password Reset For Active Directory Windows Server Dear Sir or Madam SMOP - Self Management of Passwords = 96 http: / / www.turbo Account Tool Reduces Helpdesk Calls, Saves Time and Effort and Improves Security I.T. Problem: Active Directory users often have their accounts locked out or forget their passwords. This creates an influx users are back to work quickly. This web-based tool is designed specifically for Microsoft Active Directory environments. Featured Download: SMOP (Self Management of Passwords) - an easy, efficient way to allow users to perform self service password resets in an Active Directory environment. Completely web based solution. Download FREE fully functional version of SMOP - http: / / www.turbo

Beginner Clustering Question - Application State Windows Server

Server I have been wondering what custom service / app requirements are needed to create an Active / Active Windows 2008 cluster? I have read that only the shared resources (files) matter but I Balance" and "Failover Cluster". NLB Cluster: I understand this type as it specifically says any active connections are lost if a failure occurs, which makes sense to me. So my custom service / application would work here. Failover Cluster: Active / Passive: Would this work for my custom app / service? If active connections are not lost then application state has to be transfered to the new node during failure? Failover Cluster: Active / Active: I do not see how application state can be merged between two nodes during a is not transfered. But would not most applications run into this situation (how else could active connections be maintained / transfered unless every request is independent? So basically I am wondering if