Monday, 3 March 2014

Migrating a 2003 Certificate Authority (CA) to 2008 R2

We recently had a requirement to migrate an old Windows Server 2003 Standard Certificate Authority server, to a new 2008 R2 Enterprise system.

There aren't many good guides on the web, so i decided to create this one. The post below details the process of migrating and changing the name of the CA server.


The posts below i found extremely helpful the first time i attempted this.

Backup Current System

It is very important that the first thing you do is create a good BACKUP of the server we are migrating. If this goes wrong for whatever reason we need a fall back plan, as loss of your PKI infrastructure would be catastrophic.

Next we are ready to start to migrate the system.

  1. The first thing we need to do is to take a backup of the CA database. To do this load the Certificate Authority MMC snapin. Right Click the CA name in the left pane.

  2. Select from the menu All Tasks > Backup CA as shown below.

  3. Next tick both boxes and select a location to backup the configuration to. e.g. C:\Back. As shown below. Click Next.

  4. Next the wizard will ask you for a password to encrypt your private key in the backup. Keep it safe, or you key will be unrecoverable! 

  5. Click Next and Finish.

  6. Next we need to backup the registry. Locate the registry entry shown below and right click and select Export. Save it with the CA backup we made earlier.

  7. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

Uninstall CA from 2003 server

The next step is to remove the CA software from the OLD 2003 standard server. Unlike 2008 R2 this must be done from the control panel.

  1. Load the Add/Remove Programs control panel item.

  2. On the left hand side you will see a button that says Add/Remove Windows Components.

  3. Next locate Certificate Services and untick the box, as shown below. Click Next.

  4. Windows will uninstall Certificate Services and remove all configuration for it.
  5. Once it has been uninstalled, reboot the server and change the system to DHCP, or give it another static address, so we can reuse the IP address.
NOTE - Don't forget to remove all DNS records for the old system if you created static entries.

Install role onto new 2008 CA server

The next stage is to configure the 2008 R2 server and give it an IP address and install the CA role onto it.
  1. Load Server Manager and start Add Role wizard.

  2. On the Select Role Services page select the Active Directory Certificate Services role. Shown below. Click Next.

  3. On the Select Role Services page select Certification Authority and Certification Authority Web Enrollment. Shown below. Click Next.

  4. On the next screen select Enterprise, as shown below. Click Next.

  5. On the next screen select Root CA. Click Next.

  6. On the next screen select Use Existing key then select Select a certificate and use its associated private key.

  7. Next you need to select the Certificate that we backed up in the first section of this guide. The entire backup needs to be coped to the new server. The certificate backup should be in a .P12 file. Once you selected the file, you will be prompted for the password you used to encrypt it earlier. Select the cert and click Next.

  8. Leave everything else as the default. Click Install.

Restore CA Database & Registry to new Server

The next step is to restore the rest of the backup we made of the older server and import the registry entries.
  1. First we need to load the Certification Authority MMC snap in on the new server.

  2. Right click on the CA name and select Restore, shown below.

  3. You will be prompted to Stop the CA service. Click OK.

  4. In the next screen click Next, then tick the boxes and browse to the backup we made earlier , as shown below.

  5. Type in the password, we created and click Next then Finish.

  6. You will then be asked if you want to start the services again. Click Yes.

  7. Next you need to restore the registry file we created earlier. To do this simply double click it and follow the prompts.
  8. Next we need to verify that the registry has the correct name for the CA. Locate the registry key below.

  9. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\configuration\CAName

  10. Verify that the keys for CAServerName are showing the correct DNS name of the server.

Modify ACE's in Active Directory Sites and Services.

Next we need to give the new system rights over the objects in the AD site. 

  1. First load Active Directory Sites and Services on the DC.

  2. Enable the Services node by clicking on the top level of the tree on the left. Then click View and select Show Services Node. Shown below.

  3. Next expand Services > Public Key Services > select AIA.
  4. In the right hand pane, you should see the CA name. Right click the CA name and select properties. Then select Security tab. 
  5. Add an entry for the new server and give Full Control.
  6. Remove the old server name and Click OK.
  7. Next select and expand the CDP folder from the left pane.
  8. Delete the folder for the Old server.
  9. Next in the right hand pane again right click the first object and select properties, then select the security tab.
  10. Again give Full Control to the new server account.

No comments:

Post a Comment