Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

First published on TECHNET on Jan 27, 2012

Jonathan Stephens posted an excellent Blog about this topic ; however, it didn't include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:

  • There is a new valid Certification Authority configured
  • There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData

Steps:

  1. Logon to the old Enterprise Certification Authority as an Enterprise Administrator.
  2. Identify the AIA and CDP distribution points
    • Open the Certification Authority Console
    • Right click the Certification Authority name and click Properties
    • Click the “Extensions” tab
    • Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://http://pki.contoso.com/Certenroll/

Note: Ignore the LDAP and C:%windir% locations

  • In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
  • Document the distribution points configured for the AIA extensions – as an example http://http://pki.contoso.com/Certenroll/

Note: Ignore the LDAP and C:%windir% locations

3 Disable Delta CRL and Issue a long Revocation List (CRL)

  • Open the Certification Authority Console
  • Right click “Revoked Certificates”, and then click “Properties”
  • Uncheck “Publish Delta CRL”
  • Change the “CRL publication Interval” to 99 years and then click OK
  • Open the command line with elevated privileges
  • Run Certutil –crl to issue a new Revocation List (CRL)

4 Copy the old Certification Authority's (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData

  • On the old Certification Authority, navigate to %windir%System32CertSrvCertEnroll
  • Copy the Certification Authority's certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5 Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

  •  This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6 Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

  • Open the command line with elevated privileges
  • Run Certutil –catemplates > c:catemplates.txt to document all available certificate templates at the old Certification Authority
  • Launch the Certification Authority console
  • Navigate to “Certificate Templates”
  • Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can't issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail document the certificates issued by templates from the old Certification Authority and make them available at the new Certification Authority.

7 Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

  •  Highlight “Issued Certificates”
  • Navigate to the right, and sort by “Certificate Templates”
  • Identify the certificates issued by default certificate template types
  • Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8 Dump the certificates based on the default certificate template types:

  •  Open the command line with elevated privileges
  • Run Certutil -view -restrict “Certificate Template= Template ” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c: TemplateType .txt
  • Examine the output of c: TemplateType .txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
  • C onsult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9 Dump the certificates based on the custom certificate template types:

  •  Open the Certification Authority Console
  • R ight click “Certificate Templates” and click “Manage”
  • Double click the certificate template and click on “Extensions” tab
  • Click on “Certificate Template Information”
  • Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
  • Open the command line with elevated privileges
  • Run Certutil -view -restrict “Certificate Template= OIDNumber ” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c: CustomTemplateType .txt

Note: Replace OIDNumber with the number identified in step 9.e

  •  Examine the output of c: CustomTemplateType .txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
  • Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don't need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10 Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

  • Logon to the new Certification Authority as an Enterprise Administrator
  • Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
  • Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11

12 Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Re… and from the web server hosting http://crl.contoso.com

Amer F. Kamal

Senior Premier Field Engineer

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.