Hello,
We have deployed a Server 2012 R2 DirectAccess infrastructure, single server and we only use IPHTTPS. Our clients are a mix of Windows 7 and Windows 10.
- Our DA server uses a public certificate on the IP-HTTPS tunnel
- We've deployed a new PKI to replace our existing one.
- I need to migrate our DA implementation (server/clients) to use certificates from the new PKI.
What would this process be?
I think I need to push computer certificates from the new PKI to all of our domain joined laptops that are enabled for DA before I change the certificates on the DA server itself otherwise how else can clients connect back?
- Are there any issues that could happen if a client computer has two certificates, one from old PKI and one from new? Will this break existing DA connectivity or will DA know which certificate to use?
- When I change the certificate on the DA server, to the new one from our new PKI, it will probably need to apply these updates to the GPOs; now will the DA clients need the updated GPO settings along with the updated certificates to work?
How can I do this with minimal downtime to our DA clients? I don't want to break DA connectivity for our mobile users on laptops, but i need to replace our existing PKI and get the DA infrastructure to use the new PKI.
Anyone done this before?
