Spinning up a new Cetrificate Authority. Discovered old MSP installed ADCS on DC. Not sure how to approach this

Question

Im working as a sysadmin at a new company. Not too many people are familiar with the environment. I was tasked with setting up a proper CA.

I set up two servers, an offline Root CA and a domain joined subordinate CA. Both servers are Windows Server 2019. I setup my root as a non-domain joined offline root CA. After installing the root certificate on the subordinate, I opened mmc to add the enterprise PKI snap-in to test my work. It was then I discovered that there is already a CA in my environment! It appears that the MSP before us has installed the CA role on one of our DCs. It appears to be issuing certificates too.

I'm not entirely sure how to handle this. But I have a few good ideas. I think I should backup this discovered CA config and import the configuration to my subordinate CA. Another idea is to spin up a third server, which would be a second subordinate to my offline root, and then import the discovered CA's config to the third server.

My goal is to Uninstall the ADCS role from the domain controller and establish my new CA design with AD, essentially replacing the discovered CA with my own implementation. What is the best way to handle this delicate process?

Answer 1

You cannot rename the CA. That means you cannot take a backup and restore to another server with a different name.

What you can do though is stand up another CA, subordinate to your Root CA. Once your new CA is tested and fully operational, disable all templates on the old and enable them on the new.

It's at this point that you will be wishing that the previous incumbent had a good grasp of certificate life-cycle management and has left you with a list of all subscribers, certificate expiry, and point of contact etc. I suspect by the fact that the CA was installed on a DC, that this won't be the case though. The certutil.exe tool and/or some PowerShell scripting can help you extract some of that information from the CA database if you don't mind getting your hands dirty.

Depending on the outcome of the above, you now have to decide whether to try and force all subscribers to re-enrol using the new CA, or to just let the current certificates expire and subscribers will have to use the new CA when they re-enrol. Depending on the maximum permitted lifetime of a certificate, the latter could take a while.

Only once all subscribers have moved to the new CA can you uninstall the role from your DC. Do not be tempted to do this any earlier as the CA still needs to be issuing CRLs until the last subscriber has migrated to the new CA.

An alternative is to uninstall the DC from that box and leave it as just a CA. However, if like most organisations, you have a naming standard for your servers, then this would break that, and set off every admin's inner OCD.