There are few complications for doing a “migration” of CA role as the old CA name matches with the server hostname. I’ve faced this and after referring Tech articles and chatting few tech guys, I’ve successfully achieved this, so thought to blog this, and might be helpful to someone. The simple scenario below is a CBA/WPA Enterprise for wireless using NPS.
The below procedure installs a second Enterprise Root CA in the forest, promote this as authoritative to issue certificates, replace/update already issued certificates and sets up new GPOs for auto-enrolment. With the below plan, there would be an option to regress the change to bring back the service as soon as possible.
- Login to old-CA, Open Server Manager and click on Active Directory Certificate Services.
- Under Role Services, select Certification Authority and CA Web Enrollment.
- Select Enterprise root CA as the CA type.
- Select “Create a new Private Key”
- Leave the default hash algorithm (RSA-Microsoft Software Storage Key Provider), then select the key length as 4096.
- Provide the common name for the CA as ROOT-CA-01
- Select the CA validity as 10 years.
- Specify defaults for Database and Log files.
- Click “Configure”. Reboot once completed.
- Login to old-CA, Open CA . In the console tree, click Revoked Certificates and publish a CRL with an extended validity (1 week).
- Click on Certificate Templates node. Delete all the templates, so that they are no longer issued by Old-CA.
- Login to New-CA, Open AD CS console, right click Certificate Templates node – Manage. This opens up Certificate Templates. Take copy of your required template and rename as you wish but with the below template properties.
- Ensure that Domain Admins, Domain Controllers, Enterprise Admins have Full control over the template. Domain Computers should have Autoenroll enabled.
- Add the template to the Template Store of CA. This will be now issued from the New-CA
- Open Group Policy Management console, open the “Default Domain Policy” and ensure that the root CA certificate is correctly deployed to Trusted root certification Authority store of all client machines via auto-enrollment settings. Check the below settings.
- On New-CA, Open AD CS Console, under Certificate Templates , right click on required template and select “ Reenroll all certificate holders”
- Similarly, Right click Computer Certificate and select “ Reenroll all certificate holders ” so the updated certiticate is available to all machines for other purposes.
- Logon to a client machine. Run gpupdate /force and reboot. Check and ensure that the Root CA certificate is available in the Trusted Root Certificate Store.
- Check the eventlogs on New-CA for any critical errors/ warnings.
- Logon to NPS Server. Open Certificates MMC and place a new Certificate request.This will present with the list of certificates from New-CA. Install the Certificate.
- Verify the certificate properties to ensure that it is issued from New-CA.
- Open NPS console. Update the certificate used for Wireless authentication (PEAP Auth) for all the policies with the new certificate issued from New-CA.
- Test from a laptop and BYOD/Ipad and ensure that the WiFi authentication is successful.
Post Implementation Tasks
- Logon to Old-CA.Stop the CA Service. Under “ Add Remove Windows Components” , remove “Certification Authority” role service. This will remove the AD Objects and containers related to the old CA Old-CA.
- Login to Old-CA, Click on Certificate Templates node. Delete the below templates, so that they are no longer issued by Old-CA – Computer, Workstation Wireless Authentication, Domain controller Authentication.
- Login to Old-CA, Open AD CS console, right click Certificate Templates node – Manage. This opens up Certificate Templates. Take copy of the below templates and add them to AD CS templates.
Computer, Workstation Wireless Authentication , Domain Controller Authentication. These will be now issued from the Old-CA.
- Open CA MMC, under Certificate Templates , right click on Workstation Wireless template and select “ Reenroll all certificate holders”. Right click Computer Certificate and select “ Reenroll all certificate holders” so the updated certiticate is available to all machines for other purposes.
- Check the eventlogs for any critical errors/ warnings.
- Logon to NPS Server.Open NPS console. Update the certificate used for Wireless authentication (PEAP Auth) for all the policies with the certificate issued from Old-CA.
- Test from a laptop that the WiFi authentication is successful.
- Logon to New-CA.Stop the CA Service. Remove the roles – AD CS and AD CS Web Enrollment. This will remove the AD Objects and containers related to the new CA New-CA.