4

My company has a Windows 2003 root certificate authority server which is used to generate client certificates for Remote Desktop Services logins, as well as certificates for internal HTTPS websites.

It recently developed some problems, and we would like to reboot the server.

Those problems are the inability to login remotely via Remote Desktop due to a "RPC server not available" error, and the lost ability to create new certificates. We tried stopping and restarting some of the services, but several of them remain stuck in the "stopping" phase. The server uptime is something close to a year and a half, and the assumption is that a restart ought to bring everything back up fresh.

However, several IT staff members are claiming that if we reboot the CA, all services on all servers (IIS, SQL Server, etc) will stop working until the system is back online.

I can't find any Microsoft documentation to support that position, but neither can I find any documentation that proves that there will not be any impact to running services.

Does anybody here know for certain what potential impact there may be for rebooting the company root CA server?

maweeras
  • 2,734
  • 2
  • 17
  • 23
ryandenki
  • 357
  • 7
  • 19
  • 1
    a restart shouldnt take more than 10 mins, so why not plan it for out of hours? also have you considered running a disk scan also – anthonysomerset Jul 25 '11 at 09:07

2 Answers2

7

This is simply not true. All certificates issued by the server are signed with it's private key. That signature is what's checked by clients using the public key certificate that has also been generated by the server and installed on the clients. Nothing needs to be verified on the server in order for connections to succeed. The only thing that would ever be checked is revocations. So go ahead and reboot it. In fact, go ahead and start installing security updates on it as well. Since you haven't rebooted it in a long time, I assume it hasn't been updated in a very long time. That's kind of worrisome...

Jason Berg
  • 19,084
  • 6
  • 40
  • 55
  • This is what I told them as well, but the non-technical staff members convinced the non-technical IT manager not to give authorization to do the reboot until I can provide technical documentation proving that there is no impact. They are convinced that there is some magical reason that CA server needs to be available continuously. The occasional CRL check is the only thing I can think of either, but they are, again, convinced that this may be constant and real-time, and are unwilling to take my word for it. I really need an official Microsoft web page saying so. – ryandenki Jul 27 '11 at 04:02
  • If your IT manager wants convincing, he may not find it from a Microsoft page. I think MS expects you to know the basics behind the technology and the basics tell you that the certificate server is not needed in order to verify the certificate. If he wants proof, offer demo it on your test network. – Jason Berg Jul 27 '11 at 05:01
  • Already did it on the demo network. :-/ – ryandenki Jul 28 '11 at 04:26
  • Already did it on the test network, but "It's not really the same, is it." ಠ_ಠ Yes. Yes it is. – ryandenki Jul 28 '11 at 04:31
  • OK. Pay Microsoft for a support call on your server. Verify with their technicians that you can reboot it without issues. The big upshot of this is that you'll have their assistance should a reboot not resolve the problem. – Jason Berg Jul 28 '11 at 05:10
0

I've rebooted one before. No problem to do that.

hookenz
  • 14,472
  • 23
  • 88
  • 143
  • I know that and you know that, but I need an official Microsoft document to prove that to people who don't know that. So far I haven't found any. – ryandenki Jul 27 '11 at 04:06