Upgrading Your PKI from Windows Server 2003 to Windows Server 2008 R2 Part IV: Migrating Enterprise CAs

In this post I will cover migrating Enterprise Certification Authorities to Windows Server 2008 R2.  These steps will work for Enterprise CAs regardless of whether they are a Root CA or a Subordinate CA.  The assumptions I make in this blog is that Key Archival and Role Separation is not enabled.  This posts also assumes that the machine you are migrating to will have the same hostname.  If you have a more complex scenario, such as one that includes Key Archival please see the Active Directory Certificate Services Upgrade and Migration Guidance.

The steps from Migrating the CA are the following:

1.Backup the CA Key and Database

2. Backup the CA Configuration

3. Backup CAPolicy.inf file

4. Note what certificate templates are available on the CA

5. Uninstall the CA Role from the existing CA

6. Remove the machine from the domain

7. Build a Windows Server 2008 R2 machine

8. Join the Machine with the same machine name as the machine that previously hosted the CA Role

8.  Install Certificate Services with the Key Pair from the CA Backup

10. Restore the CA database from the CA Backup

11. Restore the CA Configuration

12.  Verify that the correct certificate templates are configured on the CA

13. Verify AD permissions.

First perform the following steps:

1. Create a folder locally called CAMigrate

2. In the CAMigrate folder create a folder called CABackup and CAConfig

Backup the CA Key and Database

1. Use the following command to backup the CA Database, log files, and keys: certutil –backup <Path to CABackup folder>

2. You will be prompted to enter and confirm a password that is used to protect the private key of the CA in the resulting PFX file

Backup the CA Configuration

1. Open regedit

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>

3. Right click on <CA Name> and select export from the context menu

4. Name the file config.reg and save the file in the CAConfig folder you created earlier

5. Copy the CABackup folder to the Windows Server 2008 machine that you previously built. Be sure to be careful where you copy the backup to as the backup contains a PFX file that contains the private key of the CA.

Backup CAPolicy.inf file

If a CAPolicy.inf file exists copy it from C:\Windows\ to the CAConfig folder that you created

Note what certificate templates are available on the CA

1. Open a command prompt, and navigate the CAConfig directory

2. Run the following command “certutil –catemplateas > CATemplates.txt

Uninstall the CA Role from the existing CA

Click Start, then Control Panel, then Add or Remove Programs

clip_image002

Select Add/Remove Windows Components

clip_image003

Uncheck Certificate Services, click Next, and then Finish

clip_image004

Remove the machine from the domain

Unjoin the machine that previously held the CA Role from the domain

Build a Windows Server 2008 R2 machine

Install Windows Server 2008 R2 on the machine that will host the CA Role

Install any service packs or updates

Join the Machine with the same machine name as the machine that previously hosted the CA Role

Install Certificate Services with the Key Pair from the CA Backup

1. In server manager click on the Roles node, and then click on Add Roles

clip_image005

2. When the Add Roles Wizard opens, click Next

clip_image006

3. Select Active Directory Services and click Next

clip_image007

4. On the Introduction to Active Directory Certificate Services page of the wizard, click Next

clip_image008

5. This article assumes that Web Enrollment is installed on the CA.  Select Certification Authority and Certification Authority Web Enrollment.

clip_image009

6. You will then be prompted to install the IIS Components that are required for Web Enrollment.  Click Add Required Role Services.

clip_image010

7. On the Select Role Services page of the wizard, click Next.

clip_image011

8. On the Specify Setup type page, select Enterprise, and click Next.

clip_image012

9. On the Specify CA Type page of the wizard, select either Root CA or Subordinate CA, whichever is pertinent to your installation

clip_image013

10. On the Set Up Private Key page, select Use Existing Private Key, and Select a certificate and use its associated private key

clip_image014

11. On the Select Existing Certificates page, click the Import… button.

clip_image015

12. On the Open PFX file dialog box, click Browse…

clip_image016

13. Select the PFX file from the backup of the CA, and click Open.

clip_image017

14. Enter the password for the PFX file, and click OK

clip_image018

15. On the Select Existing Certificate page, select the certificate, and click Next.

clip_image019

16. On the Configure Certificate Database page, select the path where you want to store the database, and log file.  Click Next.

clip_image020

17. On the Web Server (IIS) page click Next.

clip_image021

18. On the Select Role Services page of the wizard, click Next.

clip_image022

19. On the Confirm Installation Selections page, click Install.

clip_image023

20. When the installation completes, click Close.

clip_image024

Restore the CA database from the CA Backup

1.  Open the Certification Authority MMC.

clip_image025

2.  You will be prompted to stop Certificate Services services, click Yes.

clip_image026

3. When the Certification Authority Restore Wizard opens, click Next.

clip_image027

4. Select Certificate database and certificate database log, browse to the CA Backup, and click Next.

clip_image028

5. On the final page of the wizard, click Finish.

clip_image029

6. You will then be prompted to start the Certificate Services service, click Yes.

clip_image030

Restore the CA Configuration

Locate the CA configuration you had previously backed up.  Click on the reg file and select Merge from the context menu.

clip_image031

Verify that the correct certificate templates are configured on the CA

Review the CATemplates.txt file you created earlier.  Ensure that those templates and just those templates are made available on the CA.

Verify AD permissions

Certificate Services is now installed on a machine with the same host name as the previous CA.  However, the SID of the machine is going to be different then the previous CA.  As such we need to make sure the CA has access to the PKI objects in Active Directory.

1. Open ADSIEDIT.MSC

2. Navigate to CN=Public Key Services, CN=Services, CN=Configuration, <Forest DN>

3. Locate the AIA container.

4. Within this container will be an object with CA services name.

5. Right click on the object, and select Properties from the context menu.

6. Select the Security tab on the resulting properties screen, and click the Advanced button.

clip_image032

7. Locate the computer name of the machine hosting the CA Role, and select it.  Then click the Edit button.

clip_image033

8. Click the Change button.

clip_image034

9. Click the Object Types… button

clip_image035

10. Select Computers and click OK.

clip_image036

11. Type the computer name of the machine hosting the CA Role and click OK.

clip_image037

12. Then click OK twice.

You will need to perform the same tasks for the CDP object, Enrollment Services object, and KRA Object.

The CDP object is under the CDP container, and within a container that has the same name as the CA’s machine name.

The Enrollment Services object is in the Enrollment Services container.

The KRA object is in the KRA container.

Conclusion

This blog entry completes the series on migrating a Windows 2003 Server based Certification Authority to Windows Server 2008 R2.

-Chris