Opti_mystic said:
Performing a Backup / Restore of the CA database is not
difficult, but are you saying that the CA Server's name
needs to change? Because if the CA Server's name changes
then you may have a problem. I would try to keep the
server's name the same. Is this a true Root CA, in that
you have only used it to issue certs to other CA servers?
Or have you issued certificates to users, machines, etc.,
from this server? The reason I ask is to determine the
scope of the potential problem. I have had poor success in
moving a CA database to another server with a different
name elsewhere in the environment. However, I have had
good results moving the CA database to another server with
the same name and IP address.
It's going to a different, existing server, so therefore a new computer name
and no way around it unfortunately. It is also a true Root CA and only
issues Subordinate certs. I've actually gone and installed a new Enterprise
Root CA and removed the old one now. The subordinate CA had problems anyway
and the services wouldn't start so I've imported the new root CA into its
trusted store and reinstated it as a new enterprise subordinate CA to the
new root CA. On the new root CA I've done a restore from my original one's
key backup so it has both keys.
Not sure if I've done the right thing or not. The new structure works, but
I'm not sure about clients with old certificates still authenticating (we
use them for the VPN server to do L2TP/IPSec tunnels). Haven't managed to
request a new local cert for the VPN server yet from the new sub. CA. I
think it will still work with the old clients now - it certainly doesn't yet
work with the new ones. I'm hoping it will work with both if I can get it
to request a new local cert and keep the old local cert too.
Does this make sense? Have I buggered it all up!?
a
