Migrating Windows Certificate Authority Server from Windows 2003 Standard to windows 2008 Enterprise Server

Migrating Windows Certificate Authority Server from Windows 2003 Standalone on DC to windows 2008 Enterprise Server. Dude to Various advantages on Installing CA on Windows 2008 Server like windows 2008 server supports v1, v2 and v3 certificate templates, R2 windows 2008 Enterprise CA server also supports Cross Forest Certificates. Below article helps to you migrate CA From windows 2003 Standard Edition to windows 2008 Enterprise Edition

Moving Certificate Server in Simple Steps

  1. Perform System State backup on Source CA Server
  2. Backup CA from CA Console
  3. Backup CA registry Configuration
  4. Uninstall CA from the Source Server using Add remove programs
  5. Install the CA as Role on the target Windows 2008 computer using existing certificate key
  6. Restore the CA database on the target CA
  7. Import the CA Registry configuration on the target CA
  8. Complete post-migration tasks

Perform  System State backup on Source CA

  1. Log in to Source server and Take System State backup using Ntbackup to C:\CertBackup

Backup CA from CA Console

  1. Open the Certification Authority snap-in
  2. Right-click the node with the CA name, point to All Tasks, and then click Back Up CA.
  3. On the Welcome page of the CA Backup wizard, click Next. On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log check boxes, enter the backup location, and then click Next

4. On the Select a Password page, enter a password to protect the CA private key and click Next.

5. On Completing the Backup Wizard page, click Finish.

6. This will create Files in C:\Certbackup

  • certbackup.p12
  • Database

Backup CA registery Configuration

1.   Click Start, point to Run, and type regedit to open the Registry Editor.

2.   In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.

3.   Enter a location and file name, and then click Save. This creates a .reg file with the registry configuration information for your CA.

UnInstall CA from the Server using Add remove programs

1. Go To Add remove programs -> Add remove Windows components -> click on Certificate Services and uncheck on Certificate Services CA and Certificate Services Web Enrollment Support

Install the CA as Role on the target computer using exisintg certificate key

  1. Install New Widows 2008 Enterprise Edition Sever
  2. Open Server Manager and Add New Role
  3. Select Active Directory Certificate Services
  4. Select Certificate Authority and Next
  5. Select Enterprise CA  and Next
  6. Use Existing Private Key as show below and select selct a certificate and user its associated private key and Next

7. Click on Browse buttong to Search folder containing certificate and private key which you exported from Source computer

8. Enter the password which was used to export

9. Next , Next and click on Install

Restore the CA database on the target CA

  1. Open the Certification Authority snap-in.
  2. Right-click the node with the CA name, point to All Tasks, and then click Restore CA. Click OK to confirm stopping the CA service.
  3. In the CA Restore wizard, on the Welcome page, click Next.
  4. On the Items to Restore page, select Certificate database and certificate database log. Click Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.
  5. Enter the password you used to export the CA database from the source CA, if a password is requested.
  6. Click Finish, and then click Yes to confirm restarting the CA.

Import the CA Registery configuration on the target CA.

  1. Double click on registery file which you exported from the source server to import the same into the server and Yes to confirm the same

Complete post-migration tasks

Updating CRL Distribution Point and Authority Information Access Extensions

  1. Loging to Windows 2008 New CA Server
  2. Open Certificate MMC
  3. Right click on the CA and click on Extenstion and click on ADD and add the below line by changing SourceServername.

ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=SourceServername,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

4. Check Publish CRLs to this location

5. Publish Delta CRLs to this location

6. Apply and OK

7. Verify the CA can publish CRLs to the new location.

8. Open the Certification Authority snap-in.

9. Right-click Revoked Certificates, point to All Tasks, and click Publish.

10. Click either New CRL or Delta CRL only, and click OK.

To verify ACLs on the AIA and CDP containers

  1. Loging to DC and open Active Direcotry Sites in Services
  2. On the Console click on Top Node
  3. Click View and Show Services node
  4. you will find Services folder on the Left and expand to reach Public key Services as shown below

5. Expand Public Key Services

6. click AIA folder and In the details pane, select the name of the source CA.

7.  On the Action menu, click Properties.

8.  Click the Security tab, and then click Add.

9.  Click Object Types, click Computers, and then click OK.

10. Type the host name of the target CA, and click OK.

11. In the Allow column, select Full Control, and click OK.

12. In the left pane, select CDP and the host name of the source CA.

13. In the details pane, select the first CRL object.

14. On the Action menu, click Properties, and then click the Security tab.

15. In the list of permitted group or user names, select the name of the source CA, click Remove, and then click Add.

16. Click Object Types, select Computers, and then click OK.

17. Type the host name of the target CA, and click OK.

18. In the Allow column, select Full Control, and then click OK.

19.     In the details pane, select the next CRL object, and repeat steps 14 through 18 until you have reached the last object.

Verifying ReGistery

1. Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS or the host of the new CA host.

2. Verify that CACertPublicationURLs and CRLPublicationURLs are both registry multi-string values located under the same key as CAServerName.

3.  Check the remaining registry values under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc registry key, with emphasis on any values that have been customized to ensure that they are free of data containing the old CA host name or other invalid CA settings. For example:

  • Configuration\ConfigurationDirectory
  • Configuration\CAName\CACertFilename

45 thoughts on “Migrating Windows Certificate Authority Server from Windows 2003 Standard to windows 2008 Enterprise Server

  1. Hi Krishna,

    Thanks a lot for the great article.
    Need your advice on migrating CA running on windows 2000 server to the WIndows 2008 server.

    Do you think we can follow all the steps in your article? Any advice.

    Many thanks,

    Vicky

      • We have a Certificate Authority server running on Windows 2003 R2 32 bit version, this server is acting as a Domain controller as well as Enterprise Root certificate server, now we have a requirement of moving to a newer hardware with Windows 2008 R2 Enterprise 64 bit version which should also act as a DC and Enterprise Root CA

        Can I use the same procedures mentioned

  2. Hi, the blue command line is not clear under Complete post-migration tasks is not clear and not complete. Can I have the command line here? Thanks…

    • Hi ,

      Below is the blue line, Its a single line. Replace SourceServername with source server

      ldap:///CN=,CN=SourceServername,CN=CDP,CN=Public Key Services,CN=Services,

  3. Hi Krishna,
    Thanks for publishing the excellent article. My new CA works fine on Win2k8 R2 with Win2k3 CA database. But, I am facing the following error when I merge the Win2k3 CA registry with Win2k8R2 CA registry.

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          10/11/2010 4:20:38 PM
    Event ID:      118
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      new_CA_FQDN
    Description:
    A portion of the Active Directory Certificate Services upgrade failed: Could not upgrade key containers. Cannot find object or property. 0x80092004 (-2146885628)
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
        <EventID Qualifiers="33370">118</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-10-11T13:20:38.000000000Z" />
        <EventRecordID>2238</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>new_CA_FQDN</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="MSG_W_KEY_CONTAINERS_NOT_UPGRADED">
        <Data Name="ErrorCode">Cannot find object or property. 0x80092004 (-2146885628)</Data>
      </EventData>
    </Event>
    
    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          10/11/2010 4:20:39 PM
    Event ID:      17
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      new_CA_FQDN
    Description:
    Active Directory Certificate Services did not start: Unable to initialize the database connection for CA_Name.  The system cannot find the path specified. 0x80070003 (WIN32: 3).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
        <EventID Qualifiers="49754">17</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-10-11T13:20:39.000000000Z" />
        <EventRecordID>2239</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>new_CA_FQDN</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="MSG_E_DB_INIT_FAILED">
        <Data Name="CACommonName">CA_Name</Data>
        <Data Name="ErrorCode">The system cannot find the path specified. 0x80070003 (WIN32: 3)</Data>
      </EventData>
    </Event>
    
    • Yasir – I had the same error message – “The system cannot find the path specified”

      I followed this technet artice to fix the problem:

      http://technet.microsoft.com/en-us/library/cc774578(WS.10).aspx

      My database on the old server was not installed in the same location as the new server. I had to change the values of the registry keys below to the new location (C:\windows\system32\CertLog):

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.

      Check the value data for the entries named DBLogDirectory, DBSystemDirectory, and DBTempDirectory.

  4. I understand that your procedure works only when the new server is not in the domain of the old server.

    Is there a way to migrate from server 2003 name AAA to an already existing server 2008 name BBB by keeping BBB name. Both in the same Domain (AAA will be removed after a successful migration and some other tasks to do)?

    Or what kind of procedure is in my scenario best practise?
    (Deleting old, how? Creating new,…)

  5. Microsoft Premier Support said;

    I checked the procedure you used against our the one on our own site and I see where it went wrong.

    Please check step 12 of the To add the CA role service by using Server Manager procedure: http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx#BKMK_AddCAbySM

    12. On the Configure Certificate Database page, specify the locations for the CA database and log files.
    
    If you specify locations that are different from the locations used on the source CA, then you must also edit the registry settings backup file before the CA is restored. If the locations specified during setup are different from the locations specified in the registry settings, the CA cannot start. 

    So, we should either install the CA to the same folder as the source CA, or change the registry backup file to match the correct folder before restoring.

    This is the modified Windows 2003 registry to be used before the old CA DB restore.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration]
    "SetupStatus"=dword:00002003
    "Active"="CA_Name"
    "ConfigurationDirectory"="\\\\old_CA_FQDN\\CertConfig"
    "DBDirectory"="C:\\WINDOWS\\system32\\CertLog"
    "DBLogDirectory"="C:\\WINDOWS\\system32\\CertLog"
    "DBTempDirectory"="C:\\WINDOWS\\system32\\CertLog"
    "DBSystemDirectory"="C:\\WINDOWS\\system32\\CertLog"
    "DBSessionCount"=dword:00000014
    "LDAPFlags"=dword:00000000
    "DBFlags"=dword:000000b8
    "Version"=dword:00020002
    "DBLastFullBackup"=hex:e3,50,13,d4,8e,67,cb,01
    
  6. I am in the process of moving (as another user) from a 2003 DC server (AAA) to a 2008R2 DC (BBB), needing to decomission the 2003.

    I am just wondering if I should proceed with moving the CA before or after mvoing the Roles and GC?

    Thanks for the comments/suggestion!

  7. hi , i have one question
    in the part of ..

    Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS or the host of the new CA host.

    we should change de value manualy o its change automaticaly ??

    thanks!

  8. HI, Thanks a lot for your guide. I used it and worked just fine migrating from 2003 R2 Std to 2008 R2 Ent. Only note is you should update the body of the article as it is necessary to update the hostname in the registry file before importing into new server and when exporting from source server better export as Regedit NT4, which is plain text.
    Thank you very much !!!

    • Hi Jorge,

      We’re trying to acomplish the same. Would you be so kind enough to send me the steps you took to do this?

      The 2003 R2 is a domain controller and a GC. We’re in the process of migrating the DC from 2003 R2 Ent. to 2008 R2 Ent.

      Do we need to dcpromo the new 2008 R2 before we migrate the CA? What were the exact steps?

      Appreciate you help.

      Thanks,
      MSS

  9. Hi all,
    a big, big question: I want to migrate from W2K3 to a new W2K8R2 server with a different hostname. Will all issued certificate work after migration to a new servername? We us the certificates for our VPN access.
    Thanks, runnerz

  10. Pingback: Migrate/Upgrade CA from one 2003 to 2008/R2 « Awinish's Blog..

  11. Our CA was originally set up to create a cert for Exchange 03 OWA, on our exchange server. That cert is no longer really in use. It expired a long time ago and no one really noticed because since it was self signed to begin with you still had to click by the security warnings. The only other use our CA has is for Radius. Now that I’m setting up a new NPS server I’m wondering if it’s really worth it to go through all the trouble to migrate the CA. I’m thinking it would be easier to just revoke the certs and remove the CA root from the server (I can’t decommission the entire server yet). And then set up a new CA Root from scratch and reconfig our Radius and NPS servers to use the new CA. If I uninstall and create new will I need to worry about any other lingering effects like left overs in AD?

  12. Have tried this over and over.. no joy.. I get the following after importing the registry and making the necessary changes ..

    Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. MyCANAMEHERE The system cannot find the file specified. 0x80070002 (WIN32: 2).

    This ocurrs trying to start the CA service.. the database and log etc.. are installed in the default loacation on both servers.. so its not that.. not sure where else to look..

    The service works after restoring the db .. so its obviously something after the registry import.. 😦

  13. Is it possible to use this to move from 2003 R2 to 2003 R2. The server (non-DC) our CA is on is failing and I want to move it to an existing 2003 R2 (possibly a DC) and we can’t afford a new 2008 server.

  14. Pingback: CA Move auf anderen Server - MCSEboard.de MCSE Forum

  15. I’m following all the instructions – i’m having issues with restoring the backup onto the new CA

    I get this:

    The expected data does not exist in this directory. please choose a different directory.

    The system cannot find the file specified. 0x80070002 (WIN32: 2)

    • Faced same error today. It’s probably a mistake in this step:
      ___________________________________________________

      On the Items to Restore page, select Certificate database and certificate database log. Click Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.
      ___________________________________________________

      You should point to a folder, where p12 certificate stored, and not directly to sub-folder where exported database resides. My folder structure looked like this:

      C:\CA_Backup\Database

      P12 certificate is in the CA_Backup and exported DB is in the Database folder. So basically you should point to C:\CA_Backup\ folder. I did this and import went fine and I could complete other steps.

  16. Hi Greg

    Sounds like you are trying to restore the database to a 64-bit server from a 32-bit server which is blocked unfortunately. As a result there is no upgrade path (which I have just found out). I will be creating a new 32 bit standalone CA (i.e. non-DC) as a result.

    Cheers

    Adam

  17. Adam,

    i built a new CA on 2008 R2 64 bit, since there will not be anymore 32 bit windows servers.

    running as a virtual machine i should be able to move it when the need arises.

    good luck

    Greg

  18. Few questions:

    1) Can I move my CA from a Windows 2003 (32 bit) to a Windows 2008 R2 SP1 (64bit) ?

    2) Can the source and destination servers names be different ?

    3) Can I upgrade a Windows 2003 (32b) with CA to a Windows 2008 R2 with SP2 (64 bit) ?

  19. I’ve just used your guide to successfully migrate from a 2003 CA to a 2008 R2 CA. Thanks!

    I ran in to one issue though in that not all of the email alerts are working now. I exported and imported the registry to the new system so all the settings are there. I’m only receiving alerts when the CA starts, stops and a CRL is issued. On the old servers I also received notifications when a cert was issued, denied or revoked. Has anyone else ran in to this? Any fixes?

  20. Pingback: Migrate a certificate authority from windows 2003 to windows 2008 R2 | Exchange DUDE

  21. Pingback: 2K8R2 - Zertifizierungsstelle umziehen 2k3 32bit -> 2k8R2 - Seite 2 - MCSEboard.de MCSE Forum

  22. Pingback: what is mcse course

  23. Can you Upgrade a Windows 2008 CA (also a Domain controller) x64 to WIndows 2008 R2 sp1 CA/DC ? n (i.e stick in the windows 2008 r2 sp1 cd and upgrade it)

  24. HI everyone,

    Would you be able to help, I followed the instruction to migrate my windows 2003 standalone CA server to windows 2008 Enterprise CA root server, everything worked well, the only problem was when I requested certificate via a web from advance option I didn’t see the option “Subordinate certificate authority”, I need this option because I am setting my web sense appliance to run as subordinate server, it need a certificate to run and issue certificates to client.

    Thank you and much appreciated if anyone came across the issue above and can advise resolution for it.

    CHeers

    Kevin

  25. EXCELLENT!!!
    Successfully went from a DC running Windows Server 2003 SP2 (x86) –> Non-DC running Windows Server 2008R2 Enterprise (x64)

    One thing I might add…
    In AD Sites & Services > AIA, after granting full control to the target CA, you can remove the source CA.

  26. Hie Guys am in trouble here.I inherited a network and apparantly the server being referenced as the CA is not there.I need to have a functional CA.I have tried loading the mmc snapshot but to no avail.Kindly assist anyone

  27. Krishna and everyone, thank you for this detailed resource. I am planning to migrate my (small, uncomplicated) Enterprise CA from a 2003 DC to a 2008 member server with a different name (this is all part of retiring that DC). Thanks to your work I feel confident that I will be successful in this task (including the CRL and AIA “clean up”).

    I have what feels like a “noob” question – our CA has issued various certs to our Exchange server, one of which is being used by the CAS. If I take the precaution of publishing a CRL revocation list that covers the time in question, will the Exchange cert continue to work during the migration? I am not too fussed if OWA clients from outside can’t get in while I’m doing the migration because they haven’t installed the cert on their machine (that’s what “outage notifications” are for), but having the CAS fail would be A Huge Problem, and if people won’t be able to get mail on their phones I want them to know in advance. If users have the mail server’s cert manually installed on their phone/remote PC, will they be able to sail on through the outage? Thanks!

  28. Hi,
    Thanks for this guide. I guess that this procedure can be applied for a migration from Windows 2003 CA to Windows 2012 CA?
    Regards

  29. Excellent blog. Just wondering whether we can use the same procedure to migrate from 2008 R2 to Windows 2012 R2?

  30. Mr Genius..!

    I have a migration coming u and was wondering if I could use this article to migrate the CA from a 2003 R2 Ent 32bit DC to a 2008 R2 Ent 64 bit DC.

    PLease let me know.

    Thank you so much..

    MSS

  31. Pingback: Migrating Windows Certificate Authority Server from Windows 2003 Standard to windows 2008 Enterprise Server | Tanny Ahmad – I.T. Infrastructure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s