Certificate Authority Servers Cannot Be Renamed or Removed from Network

This article was previously published under Q231182
This article has been archived. It is offered "as is" and will no longer be updated.
A Windows 2000 server functioning as the Certificate Authority (CA) server cannot be renamed, or the certificates that it has granted become invalid. This includes both Enterprise CAs and stand-alone CAs.

Enterprise CA servers are domain controllers or member servers that use DNS and Active Directory to store their certificate information for replication to other domain controllers. The Enterprise Root CA and Enterprise Subordinate CAs under the Root CA must not change their names, or the certificates throughout the enterprise will not be able to be validated back to the root.
The name of the CA server is bound to the certificates that the CA has issued. Therefore, the server name cannot be changed without revoking all certificates.
Before implementing a CA server, plan factors such as organization naming schemes and future requirements for subordinate CAs so the CA hierarchy can be a part of the naming scheme.

Back up the certificates by using the Certificate Services Backup feature. They can be restored at a later time.

In case of disaster recovery, restore the backup tape to a server with identical hardware. When the Certificate service starts with the proper registry entries in place from the tape backup, the certificates will still be valid on the network.
This behavior is by design.
More information
Local CA servers hold their information locally, use local policies, and store certificate information in a local database. Therefore, the CA is more than just having a server of the same name on the network for Certificate Authority. Performing regular tape backups of the server is a reliable way of being able to restore the CA without losing all certificates.
Digital Signatures Authority

Article ID: 231182 - Last Review: 10/26/2013 05:28:00 - Revision: 3.0

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server

  • kbnosurvey kbarchive kbenv kbprb KB231182