Jump to content

Moving an Enterprise Root Certificate Authority

Guest Baboon

By Guest Baboon
in Windows 2003 Server

 Share

Recommended Posts

Guest Baboon

Guest Baboon

Posted
Posted

I have an Enterprise Root Certificate Authority running on a Windows 2000

Standard, SP4 domain controller. I would like to move it to a Windows 2003

Enterprise R2, SP2 domain controller in the same domain.

 

I don't know it it's as simple as exporting and importing the configuration;

it seems that it might take more than that since it is AD integrated and it

will be on a server with a different name.

 

Can someone point me to an article and/or advise? I found an article on

moving an NT 4 CA, but I don't want to assume the steps are the same.

 

Thanks.

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Mike Luo [MSFT]

Guest Mike Luo [MSFT]

Posted
Posted

RE: Moving an Enterprise Root Certificate Authority

 

Hello,

 

To move a CA from a server that is running Windows 2000 Server to a server

that is running Windows Server 2003, you must first upgrade the CA server

that is running Windows 2000 Server to Windows Server 2003. We do not

support moving CA from Windows 2000 to Windows Server 2003.

 

The following steps are for moving CA to different server with same OS:

 

Back Up and Restore the Certification Authority Keys and Database

-----------------------------------------------------------------

 

To back up the CA and restore it to a new server:

 

1. Back up the CA cryptographic keys and database to a central location.

This step can create a file that is named <CA_Name>.P12 (a password

protected file) that contains the private key of the CA, and a folder that

is named Database that holds the CA database and log files.

2. Back up the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<

CA Name>

3. Shut down the first server. (You must do this before you rename the new

server.)

4. Disconnect the old server from the network, either by removing the

network tap or by disabling all the active network interfaces.

5. Install Certificate Services on the new server. When you select the type

of CA to install, click to select the Advance Install check box.

6. Click the <CA_Name>.P12 file from the central location, and then

continue with the CA Setup. The CA log and database file paths must be the

same on the new server as they had been on the outdated server. When you

have installed Certificate Services, the new CA is going to be

cryptographically the same as the outdated CA.

7. Start the CA Microsoft Management Console (MMC) snap-in, and then

restore the backup (to restore the database and log files).

8. Restore the backed up registry key.

9. After you verify the functionality of the new server, you can safely

remove Certificate Services from the outdated server. The CA cryptographic

keys must be deleted before you remove Certificate Services. Start the

Command Prompt and follow these steps:

a. Type "certutil -shutdown" (without the quotation marks) to stop

Certificate Services.

b. Type "certutil -key" (without the quotation marks) to list the

cryptographic keys installed on the server. In the list of keys, one entry

is the name of the Certificate Authority.

c. Type "certutil -delkey <CA Name>" (without the quotation marks).

If the name of the Certificate Authority contains spaces, enclose the CA

name in quotation marks.

d. Certificate Services can now be safely removed from the server.

 

NOTE: The database and log-file paths must be the same on both the new and

outdated servers. Also, the new server must have the same name as the

outdated server because the server name information is part of the

Authority Information Access (AIA) and CRL distribution point paths of all

previously issued certificates.

 

 

At the other hand, I suggest you just setup a new CA in LAN, issue

certificate on the new Windows Server 2003 CA. Also, keep the old Windows

2000 CA. Because new CA is configured to issue CA, old Windows 2000 CA is

only for certificate revocation, CRL publish. When all the certificate that

issued from this Windows 2000 is expired, you can then disconnect the

Windows 2000 CA.

 

Reference information:

===============================

How to move a certification authority to another server

http://support.microsoft.com/default.aspx?scid=kb;EN-US;298138

 

Hope it helps.

 

Have a nice day!

 

Mike Luo

 

Microsoft Online Partner Support

Get Secure! - http://www.microsoft.com/security

 

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Guest Baboon

Guest Baboon

Posted
Posted

RE: Moving an Enterprise Root Certificate Authority

 

Thanks much for the complete response.

I am going to go with your alternate suggestion, as I am not in a position

to easily rename the servers, since they are domain controllers and have

other network services as well.

 

"Mike Luo [MSFT]" wrote:

> Hello,

>

> To move a CA from a server that is running Windows 2000 Server to a server

> that is running Windows Server 2003, you must first upgrade the CA server

> that is running Windows 2000 Server to Windows Server 2003. We do not

> support moving CA from Windows 2000 to Windows Server 2003.

>

> The following steps are for moving CA to different server with same OS:

>

> Back Up and Restore the Certification Authority Keys and Database

> -----------------------------------------------------------------

>

> To back up the CA and restore it to a new server:

>

> 1. Back up the CA cryptographic keys and database to a central location.

> This step can create a file that is named <CA_Name>.P12 (a password

> protected file) that contains the private key of the CA, and a folder that

> is named Database that holds the CA database and log files.

> 2. Back up the following key in the registry:

> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<

> CA Name>

> 3. Shut down the first server. (You must do this before you rename the new

> server.)

> 4. Disconnect the old server from the network, either by removing the

> network tap or by disabling all the active network interfaces.

> 5. Install Certificate Services on the new server. When you select the type

> of CA to install, click to select the Advance Install check box.

> 6. Click the <CA_Name>.P12 file from the central location, and then

> continue with the CA Setup. The CA log and database file paths must be the

> same on the new server as they had been on the outdated server. When you

> have installed Certificate Services, the new CA is going to be

> cryptographically the same as the outdated CA.

> 7. Start the CA Microsoft Management Console (MMC) snap-in, and then

> restore the backup (to restore the database and log files).

> 8. Restore the backed up registry key.

> 9. After you verify the functionality of the new server, you can safely

> remove Certificate Services from the outdated server. The CA cryptographic

> keys must be deleted before you remove Certificate Services. Start the

> Command Prompt and follow these steps:

> a. Type "certutil -shutdown" (without the quotation marks) to stop

> Certificate Services.

> b. Type "certutil -key" (without the quotation marks) to list the

> cryptographic keys installed on the server. In the list of keys, one entry

> is the name of the Certificate Authority.

> c. Type "certutil -delkey <CA Name>" (without the quotation marks).

> If the name of the Certificate Authority contains spaces, enclose the CA

> name in quotation marks.

> d. Certificate Services can now be safely removed from the server.

>

> NOTE: The database and log-file paths must be the same on both the new and

> outdated servers. Also, the new server must have the same name as the

> outdated server because the server name information is part of the

> Authority Information Access (AIA) and CRL distribution point paths of all

> previously issued certificates.

>

>

> At the other hand, I suggest you just setup a new CA in LAN, issue

> certificate on the new Windows Server 2003 CA. Also, keep the old Windows

> 2000 CA. Because new CA is configured to issue CA, old Windows 2000 CA is

> only for certificate revocation, CRL publish. When all the certificate that

> issued from this Windows 2000 is expired, you can then disconnect the

> Windows 2000 CA.

>

> Reference information:

> ===============================

> How to move a certification authority to another server

> http://support.microsoft.com/default.aspx?scid=kb;EN-US;298138

>

> Hope it helps.

>

> Have a nice day!

>

> Mike Luo

>

> Microsoft Online Partner Support

> Get Secure! - http://www.microsoft.com/security

>

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

>

Guest Mike Luo [MSFT]

Guest Mike Luo [MSFT]

Posted
Posted

RE: Moving an Enterprise Root Certificate Authority

 

Appreciate your response. If you need more help or have other concerns in

the future, just post back into the newsgroup. It is always our pleasure to

be of help. Have a nice day!

 

Mike Luo

 

Microsoft Online Partner Support

Get Secure! - http://www.microsoft.com/security

 

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 Share
Go to topic listing
×
×
  • Create New...