none
Migrating a Certification Authority to a new server with a jailbroken Certificate and Private Key. RRS feed

  • Question

  • <form action="https://www.reddit.com/r/activedirectory/comments/dz4hf5/migrating_a_certification_authority_to_a_new/?st=k37icx9o&sh=19d9a2f0#" class="usertext warn-on-unload" id="form-t3_dz4hf5bs0" style="margin:0px;padding:0px;font-size:small;">

    I need to upgrade our domain controllers to Windows 2012 R2 and move the root CA. The Certification Authority is running on a Windows 2008 R2 Domain Controller. The Root CA is not exportable so running a backup on the Certification Authority is not possible. I read that a jailbreak will allow me to export the CA with the private key. The 2008R2 DC/CA is a physical machine, which I’ve made into a virtual machine. This VM I’ve kept offline. I was able to use the jailbreak on the CA and exported the Cert/Pri Key. I then deleted the Cert and imported back with the jailbroken cert and key. This then allowed me to successful run a backup on the CA. I then made a backup of the registry keys. On another test machine I was able to successful restore the CA. So it seems to have worked.

    My question is can I trust my backup and restore?

    I’m hoping that from here I will remove the CA role and demote the domain controller. I will then bring up a new 2012 R2 domain controller using the same name. After installing the Certification Authority role, I will run the restore. Does anyone see a problem with this? In the future I want to move to a standalone / subordinate. However we have lots of Remote Direct Access clients that use the existing certificate. They will need to be updated. I do not want to break anything before the holidays. My Immediate need is to get ride of the 2008R2 DC. This might cause my extra work in the future, but that’s OK. Any suggestions?

    </form>
    Wednesday, November 20, 2019 5:09 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, if the private key of our root CA is not exportable, we can not migrate CA from the old server to a new server. Because we can not back up the CA successfully and we can not restore CA from our backup to the new server.

    I am sorry, we do not know much about the jailbreak, I suggest we can set up a similar environment (the private key of the root CA is not exportable) in the lab environment. Then we use the jailbreak we mentioned to back up CA on the old server and restore CA on the new server, at last check whether we can migrate the CA from the lod server to new server successfully.


    If it does not work, I think we need to rebuild the CA server on the server 2012 R2 or 2016.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 21, 2019 3:50 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 25, 2019 7:08 AM
    Moderator
  • <form action="https://www.reddit.com/r/activedirectory/comments/dz4hf5/migrating_a_certification_authority_to_a_new/?st=k37icx9o&sh=19d9a2f0#" class="usertext warn-on-unload" id="form-t3_dz4hf5bs0" style="margin:0px;padding:0px;font-size:small;">

    I need to upgrade our domain controllers to Windows 2012 R2 and move the root CA. The Certification Authority is running on a Windows 2008 R2 Domain Controller. The Root CA is not exportable so running a backup on the Certification Authority is not possible. I read that a jailbreak will allow me to export the CA with the private key. The 2008R2 DC/CA is a physical machine, which I’ve made into a virtual machine. This VM I’ve kept offline. I was able to use the jailbreak on the CA and exported the Cert/Pri Key. I then deleted the Cert and imported back with the jailbroken cert and key. This then allowed me to successful run a backup on the CA. I then made a backup of the registry keys. On another test machine I was able to successful restore the CA. So it seems to have worked.

    My question is can I trust my backup and restore?

    I’m hoping that from here I will remove the CA role and demote the domain controller. I will then bring up a new 2012 R2 domain controller using the same name. After installing the Certification Authority role, I will run the restore. Does anyone see a problem with this? In the future I want to move to a standalone / subordinate. However we have lots of Remote Direct Access clients that use the existing certificate. They will need to be updated. I do not want to break anything before the holidays. My Immediate need is to get ride of the 2008R2 DC. This might cause my extra work in the future, but that’s OK. Any suggestions?

    </form>
    I am not aware of a jailbraik that will allow you do that.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, November 25, 2019 11:04 AM

  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 27, 2019 7:16 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns , please don't hesitate to let us know. 
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 2, 2019 1:34 AM
    Moderator