Two Enterprise CAs?

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

withawhye-ng@yahoo.com - 27 Jun 2007 16:18 GMT

Hello All,

I upgraded our Enterprise CA from Windows 2000 CA to Windows 2003
Standard and it now refuses to issue certificates. Is it possible to
set up another CA on a 2003 Enterprise box and have them online at the
same time? While I can't find documentation that recommends having
two CAs, I can't find anywhere that warns against it either.

Ideally, the new CA would start issuing certs, which would eventually
allow us to take the original box offline eventually. Oh, the 2003
Enterprise box is already in production, so renaming it isn't an
option.

Any insight or proposed soultions would be much appreciated.

Cheers,
Brent

Reply to this Message

MS Newsgroup - 19 Jul 2007 19:18 GMT

Unfortunately you can only have one Enterprise CA in a domain....there's
nothing stopping you from have a secondary one set up as a subordinate
though...

> Hello All,
>
[quoted text clipped - 13 lines]
> Cheers,
> Brent

Reply to this Message

Brian Komar - 24 Jul 2007 13:33 GMT

Huh!!!!!!
This statement is definitely incorrect.
Brian

> Unfortunately you can only have one Enterprise CA in a domain....there's
> nothing stopping you from have a secondary one set up as a subordinate
[quoted text clipped - 17 lines]
>> Cheers,
>> Brent

Reply to this Message

Brian Komar - 24 Jul 2007 13:35 GMT

There is nothing that stops you from putting two enterprise CAs on the
network.
But....
You cannot take an existing enterprise CA offline without converting it to a
standalone CA
The enterprise CA configuration depends on AD and cannot be removed from the
network
I would look at the Best Practices whitepaper available at
www.microsoft.com/pki for some insight on setting up CA hierarchies.
You look like you are moving from a one-tier to a two-tiered CA hierarchy
Brian

> Hello All,
>
[quoted text clipped - 13 lines]
> Cheers,
> Brent

Reply to this Message