One challenge that Administrators face is the periodic Upgrade of Operating system. In most cases the upgrades are seamless, however you might encounter scenarios where there are limitations that prevent you from a direct upgrade path.
Details the steps to Migrate an Enterprise CA from windows 2003 to Windows 2008 R2.
Existing server: windows 2003 Sp, running Domain controller ( multiple available), DNS and Certificate authority.
Target: CA on windows 2008 R2.
one of the Major reasons to do so was because the windows 7 and windows 2008 R2 clients were unable to enroll for a certificate using the web enrollment feature.
The solution:
Now you would have read in multiple MS articles and posts that the Name should be the same to migrate the CA. Please note that this is a CA Name and not the Host name of the server hosting the Certificate authority. The details of all your CA’s is stored in Active Directory (Ent CA is not available in workgroup only stand Alone root or subordinate CA’s are available in WG)
1. demote the domain controller — This would be the first step. however you may retain the DC and want only to migrate the CA.
2. first migrate the CA to windows 2003 Sp1 (new server) and then do an inplace upgrade to windows 2008 R2 (remember that in this case the existing CA should be X64) else if possible do an inplace upgrade to windows 2008 R2 and then migrate CA role to another windows 2008 R2.
steps:
1. Backup the enterprise CA, to do this go to Administrative tools, Certificate authority. open the CA console and right click the CA name, all tasks and click on Backup CA. the backup wizard kicks in.
2. follow the wizard and then select a) Private Key and CA certificate
b)certificate Database and Certificate Database logs.
The backup contains the CA database and the root certificate with the CAname.p12
MS also recommends backup of the following registry keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
once this has been created, you will need to uninstall the Certificate authority on the windows 2003. Go to control panel, Add/remove programs, Add/ remove windows components and then uninstall the CA.
You might find posts that say stop the CA service, and then restore the Backup on the New server. That never works, please ensure that the Backup is taken and then uninstall the Certificate authority.
on the new certificate server, install the CA from control panel , add remove windows components.
on the On the Set Up Private Key page, click Use existing private key, point to the .p12 file in the backup taken.
In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.
point the wizard to the CA database and complete the setup.
Start the CA service in windows.
Note that if you need the web enrollment make sure that you install the CA web enrollment feature.
the Certificate templates that you might have created (custom) would need to be recreated, however We have seen that this should not be a challenge.
now do an inplace upgrade to windows 2008 R2
If you need any assistance, contact support@securesine.com and we will extend a free CA migration service to small and medium businesses.
Regards,
The Wyseadmin
Kini's Blogs 