none
CA Upgrade and Renaming

    Question

  • Hello Everyone,

    Some time back I upgraded my AD server (which is also my CA) from 2003 R2 to 2008 R2 everything has been working fine, with your support and advise I would like to achieve two things with my setup;

    1. Rename the CA from Active Sync for Nokia to another friendly name.
    2. Upgrade the CA to 2008 R2 version, i.e utilize features like Online Responder e.t.c

    I used the steps below to migrate the CA from 2003 R2 to 2008 R2

    certutil -catemplates >\\server\CABackup\Templates.txt

    certutil -getreg cazcsp\* >\\server\CABackup\SCPSettings.txt

    Backup the CA

    net stop certsvc

    BackupRegistry HKLM\System\CurrentControlSetzServices\CertSvc

    Remove CA while machine is still joined to the domain



    copy the backed up content to new server 2008
    go to the directory

    certutil -importpfx "ExportedPrivateKey.p12"

    certutil -store my | find "key continer"
    copy the one you want

    copy the fisrt keycontianer

    notepad setupca.vbs

    cscript setupca.vbs /IE /RC /SN "the copied"

    net stop certsvc

    certutil -f -restoredb "backedCA directory"

    import the registry data

    double click or run
    import CAConfiguration.reg

    convert the txt templates file exported to csv by adding commas

    notepad templates.txt

    notepad templates.csv

    certutil -setcatemplates +paste the csv

    net start certsvc


    Meshack


    Wednesday, November 13, 2013 5:47 AM

Answers

  • On Wed, 13 Nov 2013 05:47:01 +0000, Meshack KE wrote:
     
    >    Rename the CA from Active Sync for Nokia to another friendly name.
     
    You can't do this without reinstalling the CA and generating a new CSR with
    the new common name that you want to use. The CN of the CA is also the
    Subject name of the certificate issued to the CA and cannot be changed as
    doing so would invalidate the certificate.
     
    • Marked as answer by Meshack KE Thursday, November 14, 2013 2:11 PM
    Wednesday, November 13, 2013 11:18 AM

All replies

  • On Wed, 13 Nov 2013 05:47:01 +0000, Meshack KE wrote:
     
    >    Rename the CA from Active Sync for Nokia to another friendly name.
     
    You can't do this without reinstalling the CA and generating a new CSR with
    the new common name that you want to use. The CN of the CA is also the
    Subject name of the certificate issued to the CA and cannot be changed as
    doing so would invalidate the certificate.
     
    • Marked as answer by Meshack KE Thursday, November 14, 2013 2:11 PM
    Wednesday, November 13, 2013 11:18 AM
  • Thanks Paul for the reply, so will this mean the only option i have is to uninstall the current CA then reinstall afresh and issue my certs afresh? what will happen to services currently using certificates issued earlier

    Meshack

    Wednesday, November 13, 2013 12:56 PM
  • On Wed, 13 Nov 2013 12:56:40 +0000, Meshack KE wrote:
     
    > Thanks Paul for the reply, so will this mean the only option i have is to uninstall the current CA then reinstall afresh and issue my certs afresh? what will happen to services currently using certificates issued earlier
     
    Correct. You either need to reissue all of the current certificates, or
    keep the old CA up and running (so that it can issue certificate revocation
    lists) until all of the existing certificates have expired and new ones
    have been obtained from the new CA.
     
    Wednesday, November 13, 2013 1:03 PM
  • Agree with Paul. Also, I'm not sure if you can restore existing database on a different CA (though, haven't tested it). So, it would be better to install a new CA with correct name, point clients to new CA (by disabling all templates on existing CA) and keep old CA to publish CRLs.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Wednesday, November 13, 2013 9:40 PM
  • Thanks all, the last one before i mark as resolved, if i uninstall the current CA will the issued certs remain working until they expire?

    Meshack

    Thursday, November 14, 2013 8:17 AM
  • They may be trusted, but not usable, because there will no any valid CRL to check revocation status.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Thursday, November 14, 2013 11:22 AM