How to: Move Certificate Server to another server.

I was doing this today, lets say couple of hours ago. Was not easy trying to troubleshoot a broken server. Hence, I have decided to migrate the Certificate authority to another server which already has the planning sitting there for a while. Since the server is already ready and good to go, I decided to give it a shot.

 

This is my configuration of the servers.

 

DC01 and DC02 servers, DC01 is a Windows Server 2003 Standard Edition and DC02 is a Windows 2000 Standard Server. Just yesterday, HQDC01 is broken, failing from corrupted data on the hard disk.  Previously, both servers belong to windows 2000 server. In order to move the certificate server to windows 2003 servers environment. In-place upgrade is required. Perform windows 2003 in-place upgrade as usual. This is just the starting of the whole exercise. Now here is the creamy part.

 

To perform the task, I am required to perform the following tasks.

 

Pre-requisite of the process is,

 

Server migrating to another server must have same server name. or else the certificate will not work… properly.

 

1.       Go to CA in administrative tools, Backup CA database and private key. To do this, follow these steps:

a.                           In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

b.                           Click Next, and then click Private key and CA certificate.

c.                            Click Certificate database and certificate database log.

d.                           Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server.

e.                           Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.

f.                            Type and then confirm a password for the CA private key backup file.

g.                           Click Next, and then verify the backup settings.

The following settings should be displayed:

•        Private Key and CA Certificate

•        Issued Log and Pending Requests

h.                           Click Finish.

 

 

2.       Save the registry settings for this CA. To do this, follow these steps:

 

a.                   Click Start, click Run, type regedit in the Open box, and then click OK.

b.                  Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

c.                   Click Export.

d.                  Save the registry file in the CA backup folder that you defined in step 2d.

 

3.       Remove Certificate Services from the old server.

4.       Rename the old server, or permanently disconnect it from the network.

5.       Install Certificate Services on the new server. To do this, follow these steps.

 

Note The new server must have the same computer name as the old server.

a.                      In Control Panel, double-click Add or Remove Programs. 

b.                     Click Add/Remove Windows Components, click Certificate Services in the Windows Components Wizard, and then click Next.

c.                      In the CA Type dialog box, click the appropriate CA type.

d.                     Click Use custom settings to generate the key pair and CA certificate, and then click Next.

e.                     Click Import, type the path of the .P12 file in the backup folder, type the password that you chose in step 2f, and then click OK.

f.                       In the Public and Private Key Pair dialog box, verify that Use existing keys is checked.

g.                      Click Next two times.

h.                     Accept the Certificate Database Settings default settings, click Next, and then click Finish to complete the Certificate Services installation.

 

6.       Stop the Certificate Services service.

7.       Locate the registry file that you saved in step 3, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. By default, the new path is C:\Windows in Windows Server 2003.

8.       Use the Certification Authority snap-in to restore the CA database. To do this, follow these steps:

a.                       In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA.

The Certification Authority Restore Wizard starts.

b.                     Click Next, and then click Private key and CA certificate.

c.                      Click Certificate database and certificate database log.

d.                     Type the backup folder location, and then click Next.

e.                     Verify the backup settings. The Issued Log and Pending Requests settings should be displayed.

f.                       Click Finish, and then click Yes to restart Certificate Services when the CA database is restored.

 

9.       In the Certification Authority snap-in, manually add or remove certificate templates to duplicate the Certificate Templates settings that you noted in step 1.