New Issuing CA

Ken,

Thanks for the follow up.

I currently have a root CA in the root domain of our network that is online
and currently handles all of our certificate issuing. I am attempting to
installing an issuing CA in the child domain to take over the role of issuing
certs and want copies of all the templates and currently issued certs and crl
on this server.

The root CA is currently published in AD and I was able to successfully
install the subordinate enterprise CA, but I guess I was expecting the newly
installed CA to automatically get all the certs that are on the root.


So, how can I get the certs, crl and templates on the new issuing CA?

"Ken Schaefer" wrote:

> "Rog" <Rog.RemoveThis@discussions.microsoft.com> wrote in message
> news:C0806CD5-7A05-43DC-9CB2-79FE7490F7A9@microsoft.com...
> >I have an online root CA that has been servicing our cert request for a
> > while. I have installed a new subordinate CA to be used as an issuing CA,
> > but
> > the population of certs that currently exist on the root haven't populated
> > down.
>
> What exactly do you mean here?
>
>
> > I tried copying the contents of the CertEnroll dir to the CertEnroll dir
> > on
> > the new CA, but still no luck.
>
> What are you trying to achieve here?
>
> Cheers
> Ken
>
>
 >> Stay informed about: New Issuing CA 

Hi there,

I'm not the expert on Certificate Services, but I don't think you can do
what you want to do.

Each CA publishes it's own CRL.

Each CA signs it's own certificates. The certs issued by your root CA will
be signed using the root CA's private key. You can't just somehow magically
have the subordinate CA appear to have issued those certs (because your
subordinate CA has it's own private key). What you can do is revoke all the
certs issued by the root CA and issue new certs from your Subordinate CA.

Cert templates i think can be exported from one CA and imported into
another. Check the CA MMC console.

Cheers
Ken

"Rog" <Rog.TakeThisOut@discussions.microsoft.com> wrote in message
news:D6C3225D-B275-49F2-BD59-699FAE573031@microsoft.com...
> Ken,
>
> Thanks for the follow up.
>
> I currently have a root CA in the root domain of our network that is
> online
> and currently handles all of our certificate issuing. I am attempting to
> installing an issuing CA in the child domain to take over the role of
> issuing
> certs and want copies of all the templates and currently issued certs and
> crl
> on this server.
>
> The root CA is currently published in AD and I was able to successfully
> install the subordinate enterprise CA, but I guess I was expecting the
> newly
> installed CA to automatically get all the certs that are on the root.
>
>
> So, how can I get the certs, crl and templates on the new issuing CA?
>
> "Ken Schaefer" wrote:
>
>> "Rog" <Rog.TakeThisOut@discussions.microsoft.com> wrote in message
>> news:C0806CD5-7A05-43DC-9CB2-79FE7490F7A9@microsoft.com...
>> >I have an online root CA that has been servicing our cert request for a
>> > while. I have installed a new subordinate CA to be used as an issuing
>> > CA,
>> > but
>> > the population of certs that currently exist on the root haven't
>> > populated
>> > down.
>>
>> What exactly do you mean here?
>>
>>
>> > I tried copying the contents of the CertEnroll dir to the CertEnroll
>> > dir
>> > on
>> > the new CA, but still no luck.
>>
>> What are you trying to achieve here?
>>
>> Cheers
>> Ken
>>
>>
 >> Stay informed about: New Issuing CA 

Ken,

Thanks again...this makes more sense. However, I think my next question
would be in order to start issuing certs from the issuing CA, don't I have to
be trusted by the root CA and have a copy of the root certificate local to
the issuing CA? If so how should I do this?

thanks again!

"Ken Schaefer" wrote:

> Hi there,
>
> I'm not the expert on Certificate Services, but I don't think you can do
> what you want to do.
>
> Each CA publishes it's own CRL.
>
> Each CA signs it's own certificates. The certs issued by your root CA will
> be signed using the root CA's private key. You can't just somehow magically
> have the subordinate CA appear to have issued those certs (because your
> subordinate CA has it's own private key). What you can do is revoke all the
> certs issued by the root CA and issue new certs from your Subordinate CA.
>
> Cert templates i think can be exported from one CA and imported into
> another. Check the CA MMC console.
>
> Cheers
> Ken
>
> "Rog" <Rog.RemoveThis@discussions.microsoft.com> wrote in message
> news:D6C3225D-B275-49F2-BD59-699FAE573031@microsoft.com...
> > Ken,
> >
> > Thanks for the follow up.
> >
> > I currently have a root CA in the root domain of our network that is
> > online
> > and currently handles all of our certificate issuing. I am attempting to
> > installing an issuing CA in the child domain to take over the role of
> > issuing
> > certs and want copies of all the templates and currently issued certs and
> > crl
> > on this server.
> >
> > The root CA is currently published in AD and I was able to successfully
> > install the subordinate enterprise CA, but I guess I was expecting the
> > newly
> > installed CA to automatically get all the certs that are on the root.
> >
> >
> > So, how can I get the certs, crl and templates on the new issuing CA?
> >
> > "Ken Schaefer" wrote:
> >
> >> "Rog" <Rog.RemoveThis@discussions.microsoft.com> wrote in message
> >> news:C0806CD5-7A05-43DC-9CB2-79FE7490F7A9@microsoft.com...
> >> >I have an online root CA that has been servicing our cert request for a
> >> > while. I have installed a new subordinate CA to be used as an issuing
> >> > CA,
> >> > but
> >> > the population of certs that currently exist on the root haven't
> >> > populated
> >> > down.
> >>
> >> What exactly do you mean here?
> >>
> >>
> >> > I tried copying the contents of the CertEnroll dir to the CertEnroll
> >> > dir
> >> > on
> >> > the new CA, but still no luck.
> >>
> >> What are you trying to achieve here?
> >>
> >> Cheers
> >> Ken
> >>
> >>
>
>
 >> Stay informed about: New Issuing CA 

You would have the root CA sign the subordinate CA's cert, thus creating the
trust relationship. If the root CA is AD integrated, and you set up a
subordinate AD integrated CA, I tihnk this happens automatically (it's been
a while since I had to run through setup).

If you have time, then get this book:
http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp...3562021

Otherwise, I'm sure there are tutorials on the Microsoft Technet website...

Cheers
Ken

"Rog" <Rog DeleteThis @discussions.microsoft.com> wrote in message
news:52F763CF-32B0-4A68-8274-0F1F4F9591D0@microsoft.com...
> Ken,
>
> Thanks again...this makes more sense. However, I think my next question
> would be in order to start issuing certs from the issuing CA, don't I have
> to
> be trusted by the root CA and have a copy of the root certificate local to
> the issuing CA? If so how should I do this?
>
> thanks again!
>
> "Ken Schaefer" wrote:
>
>> Hi there,
>>
>> I'm not the expert on Certificate Services, but I don't think you can do
>> what you want to do.
>>
>> Each CA publishes it's own CRL.
>>
>> Each CA signs it's own certificates. The certs issued by your root CA
>> will
>> be signed using the root CA's private key. You can't just somehow
>> magically
>> have the subordinate CA appear to have issued those certs (because your
>> subordinate CA has it's own private key). What you can do is revoke all
>> the
>> certs issued by the root CA and issue new certs from your Subordinate CA.
>>
>> Cert templates i think can be exported from one CA and imported into
>> another. Check the CA MMC console.
>>
>> Cheers
>> Ken
>>
>> "Rog" <Rog DeleteThis @discussions.microsoft.com> wrote in message
>> news:D6C3225D-B275-49F2-BD59-699FAE573031@microsoft.com...
>> > Ken,
>> >
>> > Thanks for the follow up.
>> >
>> > I currently have a root CA in the root domain of our network that is
>> > online
>> > and currently handles all of our certificate issuing. I am attempting
>> > to
>> > installing an issuing CA in the child domain to take over the role of
>> > issuing
>> > certs and want copies of all the templates and currently issued certs
>> > and
>> > crl
>> > on this server.
>> >
>> > The root CA is currently published in AD and I was able to successfully
>> > install the subordinate enterprise CA, but I guess I was expecting the
>> > newly
>> > installed CA to automatically get all the certs that are on the root.
>> >
>> >
>> > So, how can I get the certs, crl and templates on the new issuing CA?
>> >
>> > "Ken Schaefer" wrote:
>> >
>> >> "Rog" <Rog DeleteThis @discussions.microsoft.com> wrote in message
>> >> news:C0806CD5-7A05-43DC-9CB2-79FE7490F7A9@microsoft.com...
>> >> >I have an online root CA that has been servicing our cert request for
>> >> >a
>> >> > while. I have installed a new subordinate CA to be used as an
>> >> > issuing
>> >> > CA,
>> >> > but
>> >> > the population of certs that currently exist on the root haven't
>> >> > populated
>> >> > down.
>> >>
>> >> What exactly do you mean here?
>> >>
>> >>
>> >> > I tried copying the contents of the CertEnroll dir to the CertEnroll
>> >> > dir
>> >> > on
>> >> > the new CA, but still no luck.
>> >>
>> >> What are you trying to achieve here?
>> >>
>> >> Cheers
>> >> Ken
>> >>
>> >>
>>
>>
 >> Stay informed about: New Issuing CA 

Ken,

Thanks for all your help, this is all good information!

"Ken Schaefer" wrote:

> You would have the root CA sign the subordinate CA's cert, thus creating the
> trust relationship. If the root CA is AD integrated, and you set up a
> subordinate AD integrated CA, I tihnk this happens automatically (it's been
> a while since I had to run through setup).
>
> If you have time, then get this book:
> http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp...3562021
>
> Otherwise, I'm sure there are tutorials on the Microsoft Technet website...
>
> Cheers
> Ken
>
> "Rog" <Rog.TakeThisOut@discussions.microsoft.com> wrote in message
> news:52F763CF-32B0-4A68-8274-0F1F4F9591D0@microsoft.com...
> > Ken,
> >
> > Thanks again...this makes more sense. However, I think my next question
> > would be in order to start issuing certs from the issuing CA, don't I have
> > to
> > be trusted by the root CA and have a copy of the root certificate local to
> > the issuing CA? If so how should I do this?
> >
> > thanks again!
> >
> > "Ken Schaefer" wrote:
> >
> >> Hi there,
> >>
> >> I'm not the expert on Certificate Services, but I don't think you can do
> >> what you want to do.
> >>
> >> Each CA publishes it's own CRL.
> >>
> >> Each CA signs it's own certificates. The certs issued by your root CA
> >> will
> >> be signed using the root CA's private key. You can't just somehow
> >> magically
> >> have the subordinate CA appear to have issued those certs (because your
> >> subordinate CA has it's own private key). What you can do is revoke all
> >> the
> >> certs issued by the root CA and issue new certs from your Subordinate CA.
> >>
> >> Cert templates i think can be exported from one CA and imported into
> >> another. Check the CA MMC console.
> >>
> >> Cheers
> >> Ken
> >>
> >> "Rog" <Rog.TakeThisOut@discussions.microsoft.com> wrote in message
> >> news:D6C3225D-B275-49F2-BD59-699FAE573031@microsoft.com...
> >> > Ken,
> >> >
> >> > Thanks for the follow up.
> >> >
> >> > I currently have a root CA in the root domain of our network that is
> >> > online
> >> > and currently handles all of our certificate issuing. I am attempting
> >> > to
> >> > installing an issuing CA in the child domain to take over the role of
> >> > issuing
> >> > certs and want copies of all the templates and currently issued certs
> >> > and
> >> > crl
> >> > on this server.
> >> >
> >> > The root CA is currently published in AD and I was able to successfully
> >> > install the subordinate enterprise CA, but I guess I was expecting the
> >> > newly
> >> > installed CA to automatically get all the certs that are on the root.
> >> >
> >> >
> >> > So, how can I get the certs, crl and templates on the new issuing CA?
> >> >
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> "Rog" <Rog.TakeThisOut@discussions.microsoft.com> wrote in message
> >> >> news:C0806CD5-7A05-43DC-9CB2-79FE7490F7A9@microsoft.com...
> >> >> >I have an online root CA that has been servicing our cert request for
> >> >> >a
> >> >> > while. I have installed a new subordinate CA to be used as an
> >> >> > issuing
> >> >> > CA,
> >> >> > but
> >> >> > the population of certs that currently exist on the root haven't
> >> >> > populated
> >> >> > down.
> >> >>
> >> >> What exactly do you mean here?
> >> >>
> >> >>
> >> >> > I tried copying the contents of the CertEnroll dir to the CertEnroll
> >> >> > dir
> >> >> > on
> >> >> > the new CA, but still no luck.
> >> >>
> >> >> What are you trying to achieve here?
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >>
> >>
> >>
>
>
 >> Stay informed about: New Issuing CA