Tag Archives: certificate

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 3

Windows 2008, Windows 2008 R2Leave a comment

This is the last and final part with back-out procedure of step by step instruction for subordinate CA migration from windows server 2003 to windows server 2008 R2

1. Back-Out Procedure

In case of migration failure i.e. if the Certificate authority service fails to stop, auto enrollment failure or error/issue in any of the verifying migration steps. Then the back-out procedure has to be executed to restore the CA service on the source server.

a. Removing CA Role from Destination server

Log on to the destination server, and start Server Manager.

In the console tree, click Roles.

On the Roles pane click, Remove Roles

If the Before you begin page appears click Next

On the Remove Server Roles, Uncheck ACTIVE Directory Certificate Services and click Next

Click Remove on the Confirm Removal Selection and restart the server once completes

Remove Destination server from domain

Rename the Destination server

b. Adding CA Role on Source Server

Rename the source server to the initial name

Add the source server to domain

Launch Add or Remove programs and select add/remove windows components and select Certificate Service and click, Next

Select Enterprise Subordinate CA as CA Type and select “Use custom settings to generate the key pair and CA Certificate”

On the Public and Private Key Pair click Import and select the backed up file .p12 and enter the password and click next

Click Next to proceed with the CA configuration and close

c. Restoring CA DB on source server

Launch Certificate Authority snap in

Select CA node and click on Actions, All Task and Restore CA

On the Items to Restore select Private key and CA Certificate and Certificate Database and Certificate Database Log

Browse the CA DB Location and Click Next

Enter the password set while backing up the CA

d. Restore Certificate template list

Open a command prompt window.

Type certutil -setcatemplates +<templatelist1>,<templatelist2>.. and press ENTER.

 

Hope this article was informative and helpful to you .  This is based on test with real time scenario.

Below are the links of other part of the article

Part 1 – Preparing Source CA and Target server
Part 2 – Restoring the Source from backups and Verifying the migration

Please comment if you like this article 🙂

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 2

Windows 2003, Windows 2008, Windows 2008 R2Leave a comment

Here is the next part of the article with the step by step Instruction for Subroutine CA Migration from Windows Server 2003 to Windows Server 2008 R2.  In this 2nd part we talk about restoring the source CA from backups on the new Windows Server 2008 R2 and Verifying the migration

1. Restore Source CA Server from backup

a. Restore CA DB

Log on to the destination server by using an account that is a CA administrator.

Start the Certification Authority snap-in.

Right-click the node with the CA name, point to All Tasks, and then click Restore CA.

On the Welcome page, click Next.

On the Items to Restore page, select Certificate database and certificate database log.

Click Browse. Navigate to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).

Click Next and then click Finish.

b. Restore CA Registry

Create a backup of the current Registry setting

Open the exported registry file from source servers in notepad and verify the registry values

Open a Command Prompt window.

Type reg import <Registry Settings Backup.reg> and press ENTER.

Type net start certsvc and press ENTER.

c. Restore Certificate template list

Open a command prompt window.

Type certutil -setcatemplates +<templatelist1>,<templatelist2>.. and press ENTER.

2. Verifying migration

a. Verify ACL’s on the AIA and CDP Containers

Logging to DC and open Active Directory Sites in Services

On the Console click on Top Node

Click View and Show Services node you will find Services folder on the Left and expand to reach Public key Services

Expand Public Key Services

Click AIA folder and in the details pane, select the name of the source CA.

On the Action menu, click Properties.

Click the Security tab, and then click Add.

Click Object Types, click Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and click OK.

If Account unknown with security identifier exist then select it and remove the object.

In the left pane, select CDP and the host name of the source CA.

In the details pane, select the first CRL object.

On the Action menu, click Properties, and then click the Security tab.

In the list of permitted group or user names, select the name of the source CA, click Remove, and then click Add.

Click Object Types, select Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and then click OK.

If Account unknown with security identifier exist then select it and remove the object.

b. Verify Registry

Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS or the host of the new CA host.

Verify that CACertPublicationURLs and CRLPublicationURLs are both registry multi-string values located under the same key as CAServerName.

c. Verify Auto Enrollment

Log on to a domain member computer by using an account that has Autoenroll, Enroll, and Read permissions for the certificate templates that are assigned to the destination CA.

Click Start, and then click Run.

Type certmgr.msc, and then click OK to open the Certificates snap-in.

In the console tree, right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

On the Before You Begin page, click Next.

On the Request Certificates page, a list of one or more certificate templates should be displayed. Select the check box next to each certificate template that you want to request, and then click Enroll.

Click Finish to complete the enrollment process.

In the console tree, double-click Personal, and then click Certificates to display a list of installed user certificates and to verify that the certificate that you requested is displayed.

Hope you liked this article and got some good understanding of migration process of CA server windows server 2003 to windows server 2008. Please continue with the last part with the backup process. You should know this part to revert back if necessary.

Below are the links for the other parts

Part 1 – Preparing source and target CA  server for migration.

Part 3 – Blackout procedure.