Replacing a failed CA
-
Going back to a post I had up here about restoring a domain trust on a CA (which I was never able to successfully perform), there are some lingering issues. In particular my DCs were issued certs by the now defunct CA. I do not have a way to revoke those certs that I can find (perhaps using certutil...hmm). Any suggestions on how to get my DCs to stop using the certs pointed at the old CA so that they can autoenroll using the new CA?
-
Take a look at this:
https://support.microsoft.com/en-us/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-rIt should be able to help you and then you can auto enroll in the new CA.
-
@kelly In what way is your DC using certificates?
-
@tim_g said in Replacing a failed CA:
@kelly In what way is your DC using certificates?
Domain Controller Authorization and Domain Controller.
I ended up just deleting the certs within CertMgr on the DCs themselves, and then requesting new ones. It appears to have fixed the problem.
-
No to fix the issue with our Macs not wanting to authenticate via RADIUS.
-
@kelly said in Replacing a failed CA:
@tim_g said in Replacing a failed CA:
@kelly In what way is your DC using certificates?
Domain Controller Authorization and Domain Controller.
I ended up just deleting the certs within CertMgr on the DCs themselves, and then requesting new ones. It appears to have fixed the problem.
I was wondering if it would simply be that simple.
-
@dashrender said in Replacing a failed CA:
@kelly said in Replacing a failed CA:
@tim_g said in Replacing a failed CA:
@kelly In what way is your DC using certificates?
Domain Controller Authorization and Domain Controller.
I ended up just deleting the certs within CertMgr on the DCs themselves, and then requesting new ones. It appears to have fixed the problem.
I was wondering if it would simply be that simple.
I was leery of doing it at first since I didn't know what all was tied to those certs. In the end I just decided to go for it.
-
@kelly said in Replacing a failed CA:
@dashrender said in Replacing a failed CA:
@kelly said in Replacing a failed CA:
@tim_g said in Replacing a failed CA:
@kelly In what way is your DC using certificates?
Domain Controller Authorization and Domain Controller.
I ended up just deleting the certs within CertMgr on the DCs themselves, and then requesting new ones. It appears to have fixed the problem.
I was wondering if it would simply be that simple.
I was leery of doing it at first since I didn't know what all was tied to those certs. In the end I just decided to go for it.
You could always export the cert first before deleting it. That way you can always put it back.
-
@tim_g said in Replacing a failed CA:
@kelly said in Replacing a failed CA:
@dashrender said in Replacing a failed CA:
@kelly said in Replacing a failed CA:
@tim_g said in Replacing a failed CA:
@kelly In what way is your DC using certificates?
Domain Controller Authorization and Domain Controller.
I ended up just deleting the certs within CertMgr on the DCs themselves, and then requesting new ones. It appears to have fixed the problem.
I was wondering if it would simply be that simple.
I was leery of doing it at first since I didn't know what all was tied to those certs. In the end I just decided to go for it.
You could always export the cert first before deleting it. That way you can always put it back.
Too late for that... cough
