Moving an Enterprise Root Certificate Authority

Discussion in 'Windows Server' started by Baboon, Aug 20, 2007.

  1. Baboon

    Baboon Guest

    I have an Enterprise Root Certificate Authority running on a Windows 2000
    Standard, SP4 domain controller. I would like to move it to a Windows 2003
    Enterprise R2, SP2 domain controller in the same domain.

    I don't know it it's as simple as exporting and importing the configuration;
    it seems that it might take more than that since it is AD integrated and it
    will be on a server with a different name.

    Can someone point me to an article and/or advise? I found an article on
    moving an NT 4 CA, but I don't want to assume the steps are the same.

    Thanks.
     
    Baboon, Aug 20, 2007
    #1
    1. Advertisements

  2. Hello,

    To move a CA from a server that is running Windows 2000 Server to a server
    that is running Windows Server 2003, you must first upgrade the CA server
    that is running Windows 2000 Server to Windows Server 2003. We do not
    support moving CA from Windows 2000 to Windows Server 2003.

    The following steps are for moving CA to different server with same OS:

    Back Up and Restore the Certification Authority Keys and Database
    -----------------------------------------------------------------

    To back up the CA and restore it to a new server:

    1. Back up the CA cryptographic keys and database to a central location.
    This step can create a file that is named <CA_Name>.P12 (a password
    protected file) that contains the private key of the CA, and a folder that
    is named Database that holds the CA database and log files.
    2. Back up the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<
    CA Name>
    3. Shut down the first server. (You must do this before you rename the new
    server.)
    4. Disconnect the old server from the network, either by removing the
    network tap or by disabling all the active network interfaces.
    5. Install Certificate Services on the new server. When you select the type
    of CA to install, click to select the Advance Install check box.
    6. Click the <CA_Name>.P12 file from the central location, and then
    continue with the CA Setup. The CA log and database file paths must be the
    same on the new server as they had been on the outdated server. When you
    have installed Certificate Services, the new CA is going to be
    cryptographically the same as the outdated CA.
    7. Start the CA Microsoft Management Console (MMC) snap-in, and then
    restore the backup (to restore the database and log files).
    8. Restore the backed up registry key.
    9. After you verify the functionality of the new server, you can safely
    remove Certificate Services from the outdated server. The CA cryptographic
    keys must be deleted before you remove Certificate Services. Start the
    Command Prompt and follow these steps:
    a. Type "certutil -shutdown" (without the quotation marks) to stop
    Certificate Services.
    b. Type "certutil -key" (without the quotation marks) to list the
    cryptographic keys installed on the server. In the list of keys, one entry
    is the name of the Certificate Authority.
    c. Type "certutil -delkey <CA Name>" (without the quotation marks).
    If the name of the Certificate Authority contains spaces, enclose the CA
    name in quotation marks.
    d. Certificate Services can now be safely removed from the server.

    NOTE: The database and log-file paths must be the same on both the new and
    outdated servers. Also, the new server must have the same name as the
    outdated server because the server name information is part of the
    Authority Information Access (AIA) and CRL distribution point paths of all
    previously issued certificates.


    At the other hand, I suggest you just setup a new CA in LAN, issue
    certificate on the new Windows Server 2003 CA. Also, keep the old Windows
    2000 CA. Because new CA is configured to issue CA, old Windows 2000 CA is
    only for certificate revocation, CRL publish. When all the certificate that
    issued from this Windows 2000 is expired, you can then disconnect the
    Windows 2000 CA.

    Reference information:
    ===============================
    How to move a certification authority to another server
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;298138

    Hope it helps.

    Have a nice day!

    Mike Luo

    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Mike Luo [MSFT], Aug 20, 2007
    #2
    1. Advertisements

  3. Baboon

    Baboon Guest

    Thanks much for the complete response.
    I am going to go with your alternate suggestion, as I am not in a position
    to easily rename the servers, since they are domain controllers and have
    other network services as well.
     
    Baboon, Aug 20, 2007
    #3
  4. Appreciate your response. If you need more help or have other concerns in
    the future, just post back into the newsgroup. It is always our pleasure to
    be of help. Have a nice day!

    Mike Luo

    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Mike Luo [MSFT], Aug 21, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.