travis' brain dump

General

Moving Certificate Services without disturbing the old CA

by on Feb.17, 2023, under General, Tech Stuff

So, a buddy of mine is working on a project where he needs to move his CA. I tried looking for the article that outlined the process I followed, but alas, I was unsuccessful. What does that mean!? It means I’m writing an article. 🙂

So, scenario… you’re rocking an old CA that someone installed on your local DC. For whatever reason, you don’t like this and need to move. Easy! (sort of) There’s a lot of different moving parts here and there’s a lot of assumptions I’m going to skip past here as the meat of the issue looking to be resolved is really just shifting the services from one CA to another. In my own experience, I typically will deploy an offline root CA and an online subordinate CA and maybe (depending on the size of the environment) other servers to handle different roles such as NDES, SCEP, etc. or maybe you want to change your naming convention up a bit and do something like pki.domain.com in your environment. However, we’re not covering any of that today, just the migration of CA requests from one CA to another. If you REALLY want me to write a post on any of the above, send me a note. My email is very similar to my site with just adding an @ in place of a ‘.’ … just sayin. 😉

Assumptions:

  1. You’ve deployed a new CA or pair of CA’s into your environment.
  2. The old CA is running on an old DC or old Server you want to get rid of.
  3. You’re not doing anything crazy with your CA, just basic usage as I will not be covering identification of specific certificate template and version usage in this article.

USUAL DISCLAIMER: While these steps have worked for me, they may not work for you. I’m not responsible for you nuking your environment. 🙂 

Steps to complete the move:

  1. Login to your old CA (as an Enterprise Administrator) and identify your AIA and CDP configuration. Just to make sure it doesn’t differ from standard.
    1. Open the Certification Authority Console
    2. Right Click the CA name and click ‘Properties’
    3. Click on the ‘Extensions’ Tab
    4. Document the distribution information for both your AIA and CDP portions. You can ignore the LDAP stuff, what you’re looking for looks similar to the following:
      1. CDP –
        http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
        file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
      2. AIA –
        http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
        file://\\<ServerDNSName>\CertEnroll\<ServerDNSName><CaName><CertificateName>.crt
  2. Disable Delta CRL and Issue a long Revocation List (CRL)
    1. Open the Certificate Authority Console
    2. Right Click ‘Revoked Certificates’ and click ‘Properties’
    3. Uncheck ‘Publish Delta CRL’
    4. Change the value for “CRL Publication Interval” to 20+ years.
    5. Open a command line in admin mode and run ‘certutil -crl’ to issue the new list.
  3. Copy the old CA cert and CRL list files to your new server.
    1. Navigate to Windows\System32\CertSrv\CertEnroll on the original CA
    2. Copy the Root Certificate crt file and the certificate revocation list crl file to the new server in the same location.
      (or whatever folder you chose to use for publishing your certificates via IIS on the new server) DO NOT RENAME THESE!
  4. Redirect the AIA and CRL distribution points of the old CA to the new CA.
    You can accomplish this by doing a DNS name redirect (preferred) of the old CA to the new CA so that requests for http://oldserver.domain.com/CertEnroll/certificate.crt and certificate.crl are available. This is done so that the recorded CRL and AIA records in previously issued certificates are still valid so that when the CRL or validation is checked based on the certificate meta data, the url will still be available and valid. This is also why you DO NOT want to rename your old cert and crl from step 3. It *MUST* match entirely with the previously published information that you collected from step 1(4).
  5. Document all used templates stored in AD and then remove them from the old CA to prevent any future publishing based on those templates.
    ALL templates must be disabled/removed. Once completed, the old CA will no longer be able to issue new certificates.

    1. Open an administrative command prompt on the old CA and execute ‘certutil -catemplates > c:\temp\catemplates.txt’ to get a full list of the templates.
    2. Launch the CA console on the old CA and navigate to ‘Certificate Templates’
    3. Make note of all leveraged certificate templates in this list.
    4. Highlight all of the templates in the list, right-click and select ‘delete’; this will not delete your templates from AD!
  6. There may be a case here where you’ve got some oddities. In most cases, all of your certs should be good, but in some cases you may wish to issue specific certificates that didn’t fall into the default category immediately from the new CA. Review the certificate templates used to issue active certificates by taking a look at ‘Issued Certificates’ section and look for anything that doesn’t match up to the default certificate templates. This is an older link, but the list should still be valid. Default Certificate Templates In most cases, I don’t think you need to do this but every now and then you’ve got some oddity out there that’s worth at least being aware of. Auto-Enrolled certificates do not apply here even if you did some custom stuff.
  7. Activate the leveraged CA Templates in the new CA.
    1. Login to the new CA and open the CA console as an Enterprise Administrator.
    2. Right-Click ‘Certificate Templates’, click ‘New’ then click ‘Certificate Template to Issue’
    3. Choose all the templates you documented in step 5(3) and click ‘OK’
  8. Disable/Remove the CA role from the old system. You can do this step immediately upon testing that the new CA is issuing certificates or you can wait a few days. Since you removed the templates from the old CA you will not be issuing new certificates, but sometimes I like to leave it up for a few days to reference anything that may come up should I have missed something. In regard to the old CA cert and crl files, I usually will take a look at the latest expiration date of issued certificates on the old CA prior to decommissioning and record/set a reminder of when that date comes and goes so that I can clean up the old CA and crl files from within the new CA at that time. No sense in letting it hang around if you’re not using it. 🙂

 

I hope this helps someone out there to not be too scared of moving some CA roles around. There’s a couple different ways you can do this, but I found that this method worked best for me when I wanted to preserve the old CA (albeit not issuing) for a little while to track down anything strange that may pop up.

Leave a Comment more...

when a vacation yields you finally fixing your blog

by on Oct.27, 2019, under General, Personal

Ok, so… anyone who has visited my site in the last year has probably tapped their fingers on the desk for more than a few moments waiting for content to load. Well, you weren’t the only one and I’m pretty sure that was one of the reasons why I didn’t update more content out here. It’s been just as much a pain for me, but I’ve lacked the time to actually dig into it and figure out what’s going on.

With my vacation ending today, I figured I’d do one more me thing before I return to work tomorrow… So with that, I’m pleased to say, the sites is working much cleaner now that I’ve slimmed down some of the plugins; removed outside sources from loading content to the blog; upgraded and tweaked php significantly and did some pretty neat stuff with the sql backend. In short, I believe became a victim of bloating my own blog and essentially shot myself in the foot because of it.

So… will I get to posting useful items anytime soon? I honestly don’t know. I’d like to think I will but given the last year and my work schedule working through a large merger, I really got burned out and didn’t want to do anything “personal” in the technology world. The sad part? I usually dump stuff here that I know I’ll forgot and I’ve forgotten quite a bit of the cool stuff I figured out over the last year because I didn’t dump it off here for reference later. It may work out, I’ll probably end up repeating some of this work as we prepare to do some similar activities in moving objects around our domain, in the cloud and into a dumpster, so we’ll see. 🙂

For now, one less thing to haunt me, lol.

Leave a Comment more...

SCVMM Error 12711

by on May.19, 2017, under General

So while working on some virtual machines in the clusters we’ve been upgrading I’ve run across this error a couple of times and I figured it merited a post as one of the errors thrown in the mix wasn’t easily found in any solution online. 

Primary Error Description: 

Error (12711)
VMM cannot complete the WMI operation on the server (CLUSTERNAME) because of an error: [MSCluster_ResourceGroup.Name=”12df9151-eb2a-46e7-8a3e-58ae746b8783″] Not found
Unknown error (0x1002)

-or-

Error (12711)
VMM cannot complete the WMI operation on the server (CLUSTERNAME) because of an error: [MSCluster_ResourceGroup.Name=”12df9151-eb2a-46e7-8a3e-58ae746b8783″] The cluster resource could not be found  
The cluster resource could not be found (0x138F)

0x138F can be resolved by running the following in the VMM powershell: 

Get-ClusterResource -c CLUSTER.FQDN |Where {$_.ResourceType.Name -eq ‘Virtual Machine Configuration’} | Update-ClusterVirtualMachineConfiguration

0x1002 may require a little more involved work. However, before we dig into that one, make sure it’s not just some WMI problem on the host holding the cluster resources. Go into Failover Cluster Manager, right-click the cluster, hit more-actions and move core cluster resources to any other host. If this clears it up, great. If not, continue forward. 

I’ve had some success with pulling the resource and re-registering it. To accomplish this, you’ll need to remove the cluster resource and bring it back in as an update won’t cut it.

From the Failover Cluster Manager, find the virtual machine in the Failover Cluster Manager. Right click the resource and remove the item. It won’t delete it, but will remove the resource from the cluster and return it to the host it’s running on as a regular VM.

Once removed, expand the cluster name, right-click ‘Roles’ and select ‘Configure Roles’. In the list presented, select ‘Virtual Machine’ and click ‘Next’. You should see the machine you just removed in the list. Select it and complete the process to bring the resource back into the cluster. From VMM you should now be able to right-click the machine and select ‘Repair’ and ‘Ignore’ to resolve the issue. 

This issue is provided as-is with no warranty and if you end up deleting your VM, you’re on you own. 🙂 

Leave a Comment more...

DayZ SA – Moving configuration/profile files

by on Jan.25, 2014, under Gaming, General

Ok, so I ran into an issue with my settings in DayZ Stand Alone. It would seem that no matter how hard I tried, it just wouldn’t keep my settings. So this morning I spent some time figuring out just what was going on. While I don’t think this will apply to the majority of folks out there, it may be useful if you happen to want to move your files, for some odd reason. 🙂

DayZ SA stores it’s files in %USERNAME%DocumentsDayZ. If for some reason you can’t write there from the game you need to tell DayZ where to place these files. In my case, I have redirected folders so it forces the users on my network (read: family) to save files into a network share because I can’t stand keeping files locally. I’m a geek, leave me alone.

DayZ SA can be launched with many of the same command line options as Arma II so I figured I’d try a few out and here’s what I’ve come up with.

-profiles=D:SteamLibrarySteamAppsprofiles -nosplash -noPause

You can set these options via the Steam client by right-clicking DayZ in your Library and selecting ‘Properties’. From the general tab, select ‘Set Launch Options…’ and plugin what you’d like.

Obviously if you already have working profiles/config/etc you can just copy your data down there, otherwise if you’re having the same problem I was, you have no data to put there so let DayZ recreate it’s tree under there. Hope this helps someone. 🙂

Leave a Comment more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!