Certificate Authority Servers Cannot Be Renamed or Removed from Network

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server

SYMPTOMS

A Windows 2000 server functioning as the Certificate Authority (CA) server cannot be renamed, or the certificates that it has granted become invalid. This includes both Enterprise CAs and stand-alone CAs.

Enterprise CA servers are domain controllers that use DNS and Active Directory to store their certificate information for replication to other domain controllers. The Enterprise Root CA and Enterprise Subordinate CAs under the Root CA must not change their names, or the certificates throughout the enterprise will not be able to be validated back to the root.

CAUSE

The name of the CA server is bound to the certificates that the CA has issued. Therefore, the server name cannot be changed without revoking all certificates.

RESOLUTION

Before implementing a CA server, plan factors such as organization naming schemes and future requirements for subordinate CAs so the CA hierarchy can be a part of the naming scheme.

Back up the certificates by using the Certificate Services Backup feature. They can be restored at a later time.

In case of disaster recovery, restore the backup tape to a server with identical hardware. When the Certificate service starts with the proper registry entries in place from the tape backup, the certificates will still be valid on the network.

STATUS

This behavior is by design.

MORE INFORMATION

Local CA servers hold their information locally, use local policies, and store certificate information in a local database. Therefore, the CA is more than just having a server of the same name on the network for Certificate Authority. Performing regular tape backups of the server is a reliable way of being able to restore the CA without losing all certificates.

Additional query words: Digital Signatures Authority

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbprb