When planning a certificate services migration from CAs running Windows Server 2003 to CAs running Windows Server 2012 R2, there are a couple of things that you should watch out for.
Some of these (and certainly not all of them) include:
- What to do about your organization’s root CA
- What to do about CRL distribution points.
- What to do about existing certificates
Consider the following - a certificate includes the information required to check that it is still valid. This can poses a challenge because many certificates have multi-year lifespans. The chain of trust is dependent on all the links further up the chain remaining valid. If you retire the root CA in the chain without taking appropriate precautions, then all the certificates that were linked to that root CA by chains of trust become invalid.
This also causes issues around the migration of CRL distribution points. CRL distribution points need to be available until any certificate that references them expires. If you deploy certificates that have multi-year lifespans, you’ll need to keep the CRL distribution point accessible for the lifespan of those certificates.
In the next few posts we’ll cover how you can deal with each of these problems.