Well, I’ve been trying to write this article for about a month now and finally had some time to sit down and type it out. I was inspired by this article when I had a client request to move their Root Certificate Authority on a Windows 2003 Domain Controller to a new Windows 2008 Domain Controller. To be honest, there really isn’t anything to it but the information I found out on the net wasn’t that great so I thought I would provide the world with some info on how to perform this process.
The Client setup involved a Windows 2003 domain controller that was acting up. On this DC was their Root Certificate Authority for their entire Active Directory environment. The client is small and does not have any special requirements for an Enterprise CA and wanted to move their CA to Windows 2008 Active Directory Certificate Services.
The key principles here are that we need to move the private key associated with the Root Certificate Authority and also the Certificate Authority Database. When moving a certificate Authority we need to preserve the CA name in the environment, otherwise nothing will work! The clients will not be able to locate the CA nor will the Root certificate match up with the certificates. Things just won’t be trusted.
To get started I reviewed the Support Article on How to move a certification authority to another server to backup the existing Windows 2003 Root CA Info. I first used the Certificate Authority snap-in to backup the CA database and private key. To perform the backup follow these steps:
- In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.
- Click Next, and then click Private key and CA certificate.
- Click Certificate database and certificate database log.
- Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server.
- Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.
- Type and then confirm a password for the CA private key backup file.
- Click Next, and then verify the backup settings. The following settings should be displayed:
- Private Key and CA Certificate
- Issued Log and Pending Requests
- Click Finish.
Next we have to save the registry settings. To save the registry settings perform the following:
- Click Start, and then Run. In the Run field type regedit and click Ok
- Locate and then right-click the following registry subkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration (While you are here, why not take a look at the settings, take a screen shot, make sure they match up in the end)
- Click Export
- Save the Registry file in the CA Backup folder that was defined above
Now that we have the database, certificate and registry backed up the next step was to remove Certificate Services from the old computer. This process is pretty straight forward. Go into the Control Panel, Add/Remove Programs, Windows Components and remove the Tick from Certificate Authority. Note Be sure to remove the Certificate Authority from the old computer prior to deploying Certificate Services on the new machine. If you deploy AD CS first the target CA will become unusable.
Finally, rename the old server or permanently disconnect it from the network.
In the step above I took the existing Domain Controller, removed the Certificate Services from it and then performed a DCPromo to remove Active Directory from the computer. Once the computer was no longer a domain controller I renamed the old server. I wanted to keep the server online for a fail back just in case, which wasn’t necessary since the move went over successfully!
Now, looking at where we stand right now I had the database, the Private Key and the certificate authority database backed up. The data I backed up above should be copied to the new server that will be used for Active Directory Certificate Services. This will need to be imported below. Now, the next step is to deploy Active Directory Certificate Services on the Windows 2008 domain controller. BTW I should point out that when deploying Active Directory Certificate Services that you should use Windows 2008 Enterprise edition. W2K8 Enterprise gives you more functionality of your Certificate Services. For a list of features in Windows 2008 Standard vs Windows 2008 take a look at this link: Active Directory Certificate Services Step-by-Step Guide. If you scroll down a bit you will see a comparison chart which will note which features are available with which version of Windows you use.
Now, let’s move on to the part where we deploy and restore the Certificate Services. Log on with local or enterprise administrator permissions to the CA computer and perform the followign:
- Launch the Service Manager for Windows 2008.
- In the console tree, click Roles.
- On the Action menu, click Add Roles.
- If the Before you Begin wizard appears, click Next.
- In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.
- Make sure that Certification Authority is selected, and click Next. (Note: If you are going to use Web Enrollment make sure to check this box. You can always add it later but Why not add it now? All the required roles will also be installed when you check this box since you will get a list of Add role service required)
- Select Enterprise and click Next. (We are doing this because this is an Enterprise Root CA that will integrate with Active Directory. Just like the one I decommissioned. Best practice is to have a Standalone Root CA but given the size of this organization they are not too concerned with having a Standalone Root CA.)
- Specify Root and click Next. (If the CA you’re moving from was a Subordinate CA then we would want to tick the Subordinate CA option. But since in my example this is a Root CA we are sticking with root. Keep in main that if you’re coming from a Root CA or a Subordinate CA this option must match with what you’re coming from.)
- At this stage, you have a choice between creating a new private key or using an existing private key. For a migration, on the Set Up Private Key page, select Use existing private key and choose Select a certificate and use its associated private key.
You should have something that looks like this:
Click Next and continue the steps below:
- If the CA certificate we backed up above has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.
- Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.
- Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK. Select the Certificate that was just imported and click Next
- When choosing your path you can either use defaults or browse to new ones. Once done click Next
- Complete the installation of the AD CS
- Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)
Congratulations, you’re almost there! We have deployed Active Directory Certificate Services on Windows 2008. There are still two more steps that must be completed. This is the process of restoring the Certificate Authority Database that was backed up in the first section and restoring the registry component.
To restore the registry simply locate the registry value that was saved above, right click the file and select merge. This will import the Registry settings to the W2K8 server. Next we have to restore the database. You can check to make sure the settings were imported correctly by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and verify your settings are there. (Remember that screen shot?)
To restore the database and log files perform the following:
- Open Server Manager on the Windows 2008 Server.
- Expand Roles and then Expand Active Directory Certificate Services.
- Locate the name of the CA you just deployed.
- Right Click the CA name and select Restore CA…
- You will get a warning message that the AD CS cannot be running to perform this action. Simply click Ok to stop AD CS. AD CS will begin to stop
- On the Wizard click Next
- On the Items to Restore screen check the box Certificate database and certificate database log only. Click Browse to locate the database that was copied over above. (Note: I need to point out here that you select the folder you backed up to. i.e. if you backed up the database and logs to C:\Temp\CABackup then this will be the folder you will restore from. The backup process will create a subdirectory that it will look for during Restore, if you go one folder too deep the restore will fail.) Once you have located your backup click Next.
- On the completion screen click Finish and the restore will begin.
- Once the restore is complete you will receive a action box that asks if you would like to restart the AD CS. Simply click Yes. (We shouldn’t have any incremental backups since we are doing a migration.)
- Once the AD CS service is restarted we are good to go!
Well, what do you guys think? Worth the effort? Migrating to W2K8 AD CS will help your CA remain alive much longer. During this process I also had to renew the CA Certificate which was pretty much easy.
I hope this article will help someone out there, I know I was able to get through it but had to go to a couple of different sources to get the exact process down.
Enjoy!
Ade,
Yes, you can do the move from 2003 to 2008. I have done this myself without any issues. I would also suggest placing the CA on a non DC server. I have seen issues where the DC crashes and the CA goes down with the ship. Since you are moving the CA to a new server (with the same server name) the database will remain intact and the AIA, CRL, etc will remain the same since the server name is being preserved.
Thanks for great guide! I have successfully moved my root CA from old 2003 box to new virtual 2008.
Glad to help!
Sorry Scott for the delay in responding but have been putting this one off for a while but have no option now as the domain controller this CA is on is misbehaving.
You suggested placing CA on a non DC server so I cant really preserve the name so wondered what else is required so that the certificates remain valid with a change of machine name … or is this not possible without breaking them??
Hi Ade,
You can move the server to another server with a different name by performing a number of steps taken from this URL: http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/
To summarize the steps are:
- Edit the registry
- Edit the ACLs on AIA and CDP containers in AD
- Add CRL point with the OLD servers name in path (usually only LDAP and HTTP)
- TEST PUBLISHING CRL and Delta CRLs is a MUST !!!
Scott
Have migrated from W2003 Std to W2008 Enterprise R2 from orginal DC to a standalone server, existing certificates seem to be fine and I have created a new user certificate and everything in certificate looks to be OK.
Have two questions:
1) under AD services, Public Key Services and CDP I have both a new server and old server folder as containers for the CA(domain) cRLDistributionPoint. Is it safe to remove the old one?
2) Domain and therefore CA was setup using default domain.local, certificates issued all seem to have .local where would you alter this to get .co.uk ??
Thanks again and also in anticipation.
Ade
Hi Ade,
As long as you have the CRL distribution points updated you can delete the old CA since it is no longer on line
The co.uk? The name is domain.local which is your Active Dircetory domain. Keep in mind that this is an internal PKI environment for your internal users/systems. Anything public would have to come from a 3rd party trusted CA i.e. verisign or godaddy etc.
What I’m struggling is that I have to migrate the CA from Windows 200E R2 DC to another DC or member server but keep the settings the same.
Can I keep the same CA name while different server name ?
thanks
Armend,
You can move the server to another server with a different name by performing a number of steps taken from this URL: http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/
To summarize the steps are:
- Edit the registry
- Edit the ACLs on AIA and CDP containers in AD
- Add CRL point with the OLD servers name in path (usually only LDAP and HTTP)
- TEST PUBLISHING CRL and Delta CRLs is a MUST !!!
Scott,
I am planning on following these instructions very soon. If I retain the computer name and successfully restore the CA to my target machine, can I then rename the computer afterwards? Not a big deal, just want to get rid of the old name as well, it doesnt conform to our naming conventions.
Thanks!
Dorko
Dorko,
Typically you want to keep the computer name the same due to CRL and AIA lists will reference the computer name. If you change the name those access points for the server name will break.
If you change the server name then you have to alter the distribution point names in AD and on the CA.
Scott,
We will be making this Windows upgrade next year. What if we want to increase the product key from 1024 to 2048 when we move from Windows 2003 to 2008? Our CA cert expires next June, so we will need to renew anyway, but we are hoping we can change the product key to 2048. Can this be done? If so, what is the most ideal time-on our 2003 server before the transfer, on 2008 during the transfer or 0n 2008 after the transfer.
Thanks, JeffL
Hi JeffL,
Going off memory here, but if I recall when you renew your CA certificate you can make it a 2048 since you are technically getting a new certificate generated. I believe during this process you will need to generate a new private key. I would make the move prior to your certificate expiring so you can renew it on the new 2008 server.
Thanks for a great writeup. This was much easier than expected!
You said: If you change the server name then you have to alter the distribution point names in AD and on the CA.
Where do we make these changes?
You can change the distribution points by opening the Certificate Authority MMC on the server. Right click on the CA and click on Extenstion and click on add. Add the following ldap:///CN=,CN=Servername,CN=CDP,CN=Public Key Services,CN=Services,. Make sure you check the box that says publish CRLs to this location. Once done publish your CRLs.
Is EventID 126 to be expected on an offline Root CA?
Current information about advanced features supported by this Certification Authority is not available from the domain controller. Stop and restart Certificate Services in order to update this information. The specified domain either doesn’t exist or could not be contacted. 0x8007054b (WIN32:1355)
Can you give me some background on what you did? Did you follow the article or did you rename the CA? Is the CA deployed on a DC?
The offline root CA is just a member of a workgroup (it is on a VM with no NIC so completely isolated), we have a subordinate CA which is a DC for our domain which issues the certs (I plan to migrate this next). I followed the article as described. I used the same name throughout and will also do the same on the subordinate. I presumed the error would be expected due to the root CA being isolated but wanted to check before migrating the subordinate CA. One of my old colleagues set it up this way to ensure security of the root CA!
Also, what would be the procedure for renewing the certs throughout? Would I just submit a new request from the subordinate CA & transfer the request to the root CA or would I need to renew the certificate on the root CA first?
Renew the Cert on the root CA if you need to. Typically a Root CA that is offline should be good for 20 years on average. You will want to use the same key to keep things simple. Keep in mind you will need the root Cert on the servers/workstations to be trusted. You can do this by doing a certutil -dspublish root.cer rootcaname.
If the name is the same the CRL and AIA information will remain intact.
Thanks for the article. Are there issues performing this migration from a 32bit 2003 server to a 64bit 2008 server? I’ve read conflicting articles about migrations from 32bit to 64bit failing to restore the CA backup on the new 64bit OS.
Thanks.
Hi Tim, I have not had issues migrating from 32 bit to 64bit using this process.
Hi Scott,
Very nice Article. I have a problem with my root CA on Windows server 2008 R2 which do not want to start on a hyper-V VM (blue screen fatal error). I don’t have a backup of the system state of the root CA but my issuing secondary CA is online. How can i rebuild the root CA ?
Thanks for helping.
Hi Sam, my first question is do you have a backup of the certificate, which should be in AD but more importantly a copy of Certificate Database? I’m willing to bet your RootCA is good for awhile so there is no rush but you will need to get access to the CA Database. Also was the root CA domain joined or a Stand alone?
Hi Scott,
I had posted a few months ago about upgrading our Key Size from 1024 to 2048. Thanks for your help on that. We have our 2008 R2 servers almost ready to go online (upgrading from 2005). One thing that we are now seeing as a problem is our client certificates. We have about 1500 client certificates issued. Our CA root expires in June, so our clients will as well. What is going to be the best plan to a) upgrade the key size b) renew our cert (either before or after migration) c) not have all of our clients certificate expire at the same time. Thanks for your time. Jeff
Hi Scott,
Thanks for the informative article. Although I haven’t yet performed the move, I had a few questions.
1. I am currently running a mixed environment of W2K3 and W2K8R2 with a DC on each; I will be transferring all FSMO roles soon to the new W2K8R2 svr and taking down the last W2K3 box. Can I still move or copy the certificate services from my W2K3 DC to the W2K8R2 box first? I’d like to have most everything in place first before I remove the last W2K3 DC. The 2 servers have different names, and will be using the URL you supplied.
2. Can I still keep the old DC on-line until such time that I am ready to decommission it after I move the certificate services and Root Authority?
3. Can I simply backup my current CA, stop all related CA services on the original DC, install AD Certificate Services on the W2K8R2 box and import the key?
Hi William,
Let me answer your questions for you here:
1. No, you need to keep the Computer name the same in order to transfer it. If you are moving it a new server name you will need to go through additional steps to change ditribution points etc. This process is noted in the comments above if you’re looking at doing this.
2. No, you will need to either change the server name or take it off line. This has to deal with distribution points for the CRL, AIA.
3. Yes, as long as the old server is off line and the new server has the same name.
Technically it is best practice to have AD CS installed on a member server that is not a domain controller. You may want to reconsider your CA architecture to fit in this best practice.
Fantastic Article and works perfect
thank you very much for such a clear set of instructions. seriously, it’s probably as important in that it outlines that it CAN be done as much as it explains HOW to do it. thank you for again bridging the gap.