Tuesday, February 8, 2011

Move Root Certificate Authority from Windows Server 2003 to Windows Server 2008

In this scenario, we have the following servers:

Server Name
IP Address
Operating System
Server Role
Windows Server 2003 R2
Domain Controller, Global Catalog, DNS Server
CA01.contoso.com (Old)
Windows Server 2003 R2
Certification Authority
CA01.contoso.com (New)
Windows Server 2008 R2
Certification Authority

Assume CA01 has been installed the Certificate Authority.

1.     At the CA01 server, logon as Domain Administrator.
2.     Click Start > Administrative Tools > Certification Authority.
3.     Right-click Domain name, select All Tasks > Back up CA.
4.     At welcome screen, click Next.
5.     Check Private key and CA certificate and Certificate database and certificate database log.
6.     Click Browse.
7.     Select C:\CA Backup, click OK.

Remark:            You need to create the CA backup folder.

8.     Click Next.
9.     Provide the password for backup, click Next.
10.  Click Finish.
11.  Click Start > Run, enter regedit.
12.  Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.

13.  Right-click Configuration, select Export.
14.  Save the registry file in the C:\CA Backup folder.

Remark:            You can enter the following command to export the registry:
Reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration “C:\CA Backup\backup.reg”

15.  Click Start > Run, enter appwiz.cpl.
16.  Click Add/Remove Windows Components.
17.  Uncheck Certificate Services, click Next.
18.  Click Finish.
19.  Click Start > Run, enter sysdm.cpl.
20.  Select Computer Name tab, click Change.
21.  Under Computer name, type CA02.

22.  Click OK.
23.  Restart the CA02.
24.  At Windows Server 2008 R2 server, logon as Local Administrator.

25.  Click Start, enter sysdm.cpl.
26.  Select Computer Name tab, click Change.
27.  Under Computer name, type CA01.
28.  Next to Member of, select Domain.
29.  Under Domain, type contoso.com.

30.  Click OK.
31.  After joined domain, restart the computer.
32.  When the restart process is finished, logon as Domain Administrator.
33.  Click Start, type \\CA02\C$
34.  Copy CA Backup to C:\
35.  Click ServerManager icon.
36.  Right-click Roles, select Add Roles.
37.  At welcome screen, click Next.
38.  Check Active Directory Certificate Services.

39.  Click Next twice.
40.  Check Certification Authority and certificate Authority Web Enrollment.
41.  Click Add Required Role Services.

42.  Click Next.
43.  Still select Enterprise, click Next.
44.  Select Root CA, click Next.
45.  At Set Up Private Key screen, select Use existing private key > Select a certificate and use its associated private key.

46.  Click Next.
47.  Click Import.
48.  Click Browse.
49.  Select C:\CA Backup\Contoso Root CA.p12.

50.  Enter the password for the private key, click OK.
51.  Select the Certificate.

52.  Click Next three times.
53.  At Select Role Services screen, check Basic Authentication.

54.  Click Next.
55.  Click Install.
56.  Click Close.
57.  Click Start, enter certsrv.msc.
58.  Right-click Domain name, select All Tasks > Stop Service.
59.  Click Start, enter regedit.
60.  Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.

Remark:            If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly.

61.  Close Registry Editor.
62.  Launch Windows Explore, navigate to C:\CA Backup.
63.  Double-click the registry file to import the setting.
64.  Back to Certification Authority, right-click Domain Name, select All Tasks > Restore CA.
65.  At welcome screen, click Next.
66.  Check Private key and CA certificate and Certificate database and certificate database log.
67.  Click Browse.
68.  Select C:\CA Backup, click OK.

69.  Click Next.
70.  Enter the password that you exported as before, click Next.
71.  Click Finish.

72.  Click Yes to start the ADCS service.

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment