Certificate Authority Quagmire

Grey

@Dashrender said in Certificate Authority Quagmire:

That seems weird why would you import a certificate from another active directory server instead of making a new one or requesting a new one

I can advise, suggest and document, but at the end of the day I still have to work with what I have and follow the business directive. Unfortunately, this is one of those times.

Obsolesce

Have you had a chance to replace the certificate yet?

Grey

@Tim_G said in Certificate Authority Quagmire:

Have you had a chance to replace the certificate yet?

I have a new wildcard cert. I'm not sure I want to use that on the DC. Has anyone done that? I'm unsure if it's a best practice or not.

Obsolesce

On the DC, can't you request another one from your CA via certlm.msc?

Grey

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Obsolesce

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Not good... But I guess it is what it is. So let's just focus on fixing it.

Is starting over an option?

If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?

Grey

@Tim_G said in Certificate Authority Quagmire:

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Not good... But I guess it is what it is. So let's just focus on fixing it.

Is starting over an option?

If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?

No. Unsure; I inherited this and I'm hazy on CAs. A previous DC was in use and is decommissioned, but the old cert was imported to keep some cisco products from complaining.

Obsolesce

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Not good... But I guess it is what it is. So let's just focus on fixing it.

Is starting over an option?

If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?

No. Unsure; I inherited this and I'm hazy on CAs. A previous DC was in use and is decommissioned, but the old cert was imported to keep some cisco products from complaining.

You still need to renew the certificate. You can do it in CA management.

Grey

Is there an article for that on technet? I don't want to screw it up.

Obsolesce

Do you have an offline root CA or is do you just have a single CA that does it all: certificate issuing, CDP, etc.?