We have a Subordinate CA that is servicing our AD domain. For reasons of tidiness, we want to change the OU that the Sub CA is in. I know that you can't do things like change the name of the Sub CA or change its IP address. Has anyone successfully changed the OU of a Sub CA, or know a reason why we can't do it?
Asked
Active
Viewed 120 times
1 Answers
4
Changing the OU where the computer account of an Enterprise (root or sub) CA is located should have no impact whatsoever on the CA service (*).
All CA-specific information is stored elsewhere in Active Directory, not in the computer object itself.
Also, the CA service doesn't care about the IP address of the server (**); only the computer name and the domain membership can't be changed.
(*) Of course, as always be careful about applied GPOs.
(**) However, the network could care a lot, f.e. if the server is behind a firewall and/or a reverse proxy.
Massimo
- 70,200
- 57
- 200
- 323
-
1Agreed. Usually where there are problems are with the CRL/CDP locations. So technically changing an IP, if the CRL were on the same host and there was a firewall rule... could be breakage. Depends on the usage. Small environments are probably fine, complex are where the CRL problems happen. I'm only saying this because I've been through a few million $ outages for CRL's. – Greg Askew Aug 23 '22 at 19:46
-
1@GregAskew I actually thought about that, but I didn't want to add too much complexity to my answer by mentioning too many edge cases; of course, my meaning was "the CA service doesn't care about the IP address of the server, although it's perfectly possible the network *does*". Footnote added for clarity. – Massimo Aug 23 '22 at 20:04
-
1I had to build a CA which actually needed its web services to be exposed to the Internet (although with heavy firewalling); changing *its* IP address would indeed have been an issue. https://serverfault.com/questions/1005993/error-enrolling-kerberos-authentication-certificate-in-a-sparse-network – Massimo Aug 23 '22 at 20:19