Moving an Enterprise Root Certificate Authority

  • Thread starter Thread starter Baboon
  • Start date Start date
B

Baboon

Guest
I have an Enterprise Root Certificate Authority running on a Windows 2000
Standard, SP4 domain controller. I would like to move it to a Windows 2003
Enterprise R2, SP2 domain controller in the same domain.

I don't know it it's as simple as exporting and importing the configuration;
it seems that it might take more than that since it is AD integrated and it
will be on a server with a different name.

Can someone point me to an article and/or advise? I found an article on
moving an NT 4 CA, but I don't want to assume the steps are the same.

Thanks.
 
RE: Moving an Enterprise Root Certificate Authority

Hello,

To move a CA from a server that is running Windows 2000 Server to a server
that is running Windows Server 2003, you must first upgrade the CA server
that is running Windows 2000 Server to Windows Server 2003. We do not
support moving CA from Windows 2000 to Windows Server 2003.

The following steps are for moving CA to different server with same OS:

Back Up and Restore the Certification Authority Keys and Database
-----------------------------------------------------------------

To back up the CA and restore it to a new server:

1. Back up the CA cryptographic keys and database to a central location.
This step can create a file that is named <CA_Name>.P12 (a password
protected file) that contains the private key of the CA, and a folder that
is named Database that holds the CA database and log files.
2. Back up the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<
CA Name>
3. Shut down the first server. (You must do this before you rename the new
server.)
4. Disconnect the old server from the network, either by removing the
network tap or by disabling all the active network interfaces.
5. Install Certificate Services on the new server. When you select the type
of CA to install, click to select the Advance Install check box.
6. Click the <CA_Name>.P12 file from the central location, and then
continue with the CA Setup. The CA log and database file paths must be the
same on the new server as they had been on the outdated server. When you
have installed Certificate Services, the new CA is going to be
cryptographically the same as the outdated CA.
7. Start the CA Microsoft Management Console (MMC) snap-in, and then
restore the backup (to restore the database and log files).
8. Restore the backed up registry key.
9. After you verify the functionality of the new server, you can safely
remove Certificate Services from the outdated server. The CA cryptographic
keys must be deleted before you remove Certificate Services. Start the
Command Prompt and follow these steps:
a. Type "certutil -shutdown" (without the quotation marks) to stop
Certificate Services.
b. Type "certutil -key" (without the quotation marks) to list the
cryptographic keys installed on the server. In the list of keys, one entry
is the name of the Certificate Authority.
c. Type "certutil -delkey <CA Name>" (without the quotation marks).
If the name of the Certificate Authority contains spaces, enclose the CA
name in quotation marks.
d. Certificate Services can now be safely removed from the server.

NOTE: The database and log-file paths must be the same on both the new and
outdated servers. Also, the new server must have the same name as the
outdated server because the server name information is part of the
Authority Information Access (AIA) and CRL distribution point paths of all
previously issued certificates.


At the other hand, I suggest you just setup a new CA in LAN, issue
certificate on the new Windows Server 2003 CA. Also, keep the old Windows
2000 CA. Because new CA is configured to issue CA, old Windows 2000 CA is
only for certificate revocation, CRL publish. When all the certificate that
issued from this Windows 2000 is expired, you can then disconnect the
Windows 2000 CA.

Reference information:
===============================
How to move a certification authority to another server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298138

Hope it helps.

Have a nice day!

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
RE: Moving an Enterprise Root Certificate Authority

Thanks much for the complete response.
I am going to go with your alternate suggestion, as I am not in a position
to easily rename the servers, since they are domain controllers and have
other network services as well.

"Mike Luo [MSFT]" wrote:

> Hello,
>
> To move a CA from a server that is running Windows 2000 Server to a server
> that is running Windows Server 2003, you must first upgrade the CA server
> that is running Windows 2000 Server to Windows Server 2003. We do not
> support moving CA from Windows 2000 to Windows Server 2003.
>
> The following steps are for moving CA to different server with same OS:
>
> Back Up and Restore the Certification Authority Keys and Database
> -----------------------------------------------------------------
>
> To back up the CA and restore it to a new server:
>
> 1. Back up the CA cryptographic keys and database to a central location.
> This step can create a file that is named <CA_Name>.P12 (a password
> protected file) that contains the private key of the CA, and a folder that
> is named Database that holds the CA database and log files.
> 2. Back up the following key in the registry:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<
> CA Name>
> 3. Shut down the first server. (You must do this before you rename the new
> server.)
> 4. Disconnect the old server from the network, either by removing the
> network tap or by disabling all the active network interfaces.
> 5. Install Certificate Services on the new server. When you select the type
> of CA to install, click to select the Advance Install check box.
> 6. Click the <CA_Name>.P12 file from the central location, and then
> continue with the CA Setup. The CA log and database file paths must be the
> same on the new server as they had been on the outdated server. When you
> have installed Certificate Services, the new CA is going to be
> cryptographically the same as the outdated CA.
> 7. Start the CA Microsoft Management Console (MMC) snap-in, and then
> restore the backup (to restore the database and log files).
> 8. Restore the backed up registry key.
> 9. After you verify the functionality of the new server, you can safely
> remove Certificate Services from the outdated server. The CA cryptographic
> keys must be deleted before you remove Certificate Services. Start the
> Command Prompt and follow these steps:
> a. Type "certutil -shutdown" (without the quotation marks) to stop
> Certificate Services.
> b. Type "certutil -key" (without the quotation marks) to list the
> cryptographic keys installed on the server. In the list of keys, one entry
> is the name of the Certificate Authority.
> c. Type "certutil -delkey <CA Name>" (without the quotation marks).
> If the name of the Certificate Authority contains spaces, enclose the CA
> name in quotation marks.
> d. Certificate Services can now be safely removed from the server.
>
> NOTE: The database and log-file paths must be the same on both the new and
> outdated servers. Also, the new server must have the same name as the
> outdated server because the server name information is part of the
> Authority Information Access (AIA) and CRL distribution point paths of all
> previously issued certificates.
>
>
> At the other hand, I suggest you just setup a new CA in LAN, issue
> certificate on the new Windows Server 2003 CA. Also, keep the old Windows
> 2000 CA. Because new CA is configured to issue CA, old Windows 2000 CA is
> only for certificate revocation, CRL publish. When all the certificate that
> issued from this Windows 2000 is expired, you can then disconnect the
> Windows 2000 CA.
>
> Reference information:
> ===============================
> How to move a certification authority to another server
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;298138
>
> Hope it helps.
>
> Have a nice day!
>
> Mike Luo
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
 
RE: Moving an Enterprise Root Certificate Authority

Appreciate your response. If you need more help or have other concerns in
the future, just post back into the newsgroup. It is always our pleasure to
be of help. Have a nice day!

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top