Certificate Authority Servers Cannot Be Renamed or Removed from Network (231182)

SYMPTOMS

A Windows 2000 server functioning as the Certificate Authority (CA) server cannot be renamed, or the certificates that it has granted become invalid. This includes both Enterprise CAs and stand-alone CAs.

Enterprise CA servers are domain controllers or member servers that use DNS and Active Directory to store their certificate information for replication to other domain controllers. The Enterprise Root CA and Enterprise Subordinate CAs under the Root CA must not change their names, or the certificates throughout the enterprise will not be able to be validated back to the root.

CAUSE

The name of the CA server is bound to the certificates that the CA has issued. Therefore, the server name cannot be changed without revoking all certificates.

RESOLUTION

Before implementing a CA server, plan factors such as organization naming schemes and future requirements for subordinate CAs so the CA hierarchy can be a part of the naming scheme.

Back up the certificates by using the Certificate Services Backup feature. They can be restored at a later time.

In case of disaster recovery, restore the backup tape to a server with identical hardware. When the Certificate service starts with the proper registry entries in place from the tape backup, the certificates will still be valid on the network.

MORE INFORMATION

Local CA servers hold their information locally, use local policies, and store certificate information in a local database. Therefore, the CA is more than just having a server of the same name on the network for Certificate Authority. Performing regular tape backups of the server is a reliable way of being able to restore the CA without losing all certificates.

Certificate Authority Servers Cannot Be Renamed or Removed from Network (231182)

SYMPTOMS

CAUSE

RESOLUTION

STATUS

MORE INFORMATION