Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 1

Below are the step by step comprehensive Instructions for subroutine CA migration from Windows Server 2003 to Windows Server 2008 R2.
This article is published in three parts and in this part we will discuss more in details on about preparing of source and destination server for the migration

1. Preparing Source Server

Map network share in source server to copy backup files

Perform/Verify System state backup of Source CA

a. Verify and backup CA Template set

Open Command prompt

Type certutil.exe – catemplates > catemplates.txt

Verify the contents of catemplates.txt with the templates displayed in Certificate Authority snap-in

b. Verify and backup CA’s CSP and signature algorithm

Open Command prompt

Type certutil.exe –getreg ca\csp\* > csp.txt

Verify that the csp.txt contains CSP detaill

c. Publish CRL with extended validity period

Open Certificate Authority snap in

In the console tree right click “Revoked Certificates” and click Properties

Record the current CRL Publishing Parameters

Set the CRL Delta publishing interval to 2 days

Click on “Revoked Certificates” -> all task -> publish -> Delta CRL only

d. Backup CA DB and Private Key

Map shared network drive to take the backup

on Certificate authority snap-in right click point to All task and backup CA

On the Welcome page of the CA Backup wizard, click Next.

On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log check boxes, specify the backup location, and then click Next.

On the Select a Password page, type a password to protect the CA private key, and click Next.

On the Completing the Backup Wizard page, click Finish.

After the backup completes, verify the following files in the location you specified CAName.p12 containing the CA certificate and private key Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb

Open command prompt and type Net stop Certsvc to stop Certificate Service

e. Backup CA Registry

Click Start, point to Run, and type regedit to open the Registry Editor.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.

Specify a location and file name, and then click Save. This creates a registry file containing CA configuration data from the source CA.

f. Remove source server

Launch Add or remove program

Click Add/Remove windows components and uncheck Certificate Services

Click next and finish

Remove source server from domain

Delete AD computer object

Rename source server to some temp name

2. Preparing Destination Server

Change destination server name to the initial source server name

Add destination server to domain

Map network share used in taking the backup on source server

a. Import the CA certificate

Start the Certificates snap-in for the local computer account.

In the console tree, double-click Certificates (Local Computer), and click Personal.

On the Action menu, click All Tasks, and then click Import to open the Certificate Import Wizard. Click Next.

Locate the <CAName>.p12 file created by the CA certificate and private key backup on the source CA, and click Open.

Type the password, and click OK.

Click Place all certificates in the following store.

Verify Personal is displayed in Certificate store. If it is not, click Browse, click Personal, and click OK.

b. Add CA and IIS roles on destination server

Log on to the destination server, and start Server Manager.

In the console tree, click Roles.

On the Action menu, click Add Roles.

If the Before you Begin page appears, click Next.

On the Select Server Roles page, select the Active Directory Certificate Services and Web Server (IIS) check box, and click Next.

On the Introduction to AD CS page, click Next.

On the Role Services page, click the Certification Authority check box, and Certification Authority Web Enrollment and click Next.

On the Specify Setup Type page, specify either Enterprise and click Next.

On the Specify CA Type page, select Subordinate CA, and click Next.

On the Set Up Private Key page, select Use existing private key and Select a certificate and use its associated private key.

In the Certificates list, click the imported CA certificate, and then click Next.

On the Configure Certificate Database page, specify the locations for the CA database and log files.

On the Confirm Installation Selections page, review the messages, and then click Install.

Hope you liked this article, please continue with the next part where we will discuss in details of the below

Part 2 – Restoring the Source from backups and Verifying the migration
Part 3 – Back Out procedure

One thought on “Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 1

  1. Thanks for another great article. The place else may just anybody get that type of information in such a perfect manner of writing?

    I’ve a presentation subsequent week, and I’m on the look for such information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s