none
Understanding PKI infrastructure and how it works - migration RRS feed

  • Question

  • Hi, 

    We have the following:

    Offline Root CA - 2008r2 SHA1

    Online Issuing CA - 2008r2 SHA1

    Plan:

    We are planning on migrating from server 2008r2 to 2019. I am following Microsoft migration document. Once this is done a week or so later we plan to change from SHA1 to SHA2. We will be migrating from 2008r2 to 2019 and not changing server name.

    Questions.

    1) I want to understand how certificates auto-renew themselves. I cannot find any GPO so not sure exactly how this works. Does CA control this, AD or the actual cert

    2) From the above migration plan, if I am to remove the SubCA from the domain and change the computer name so that I can add this to the new 2019 server. In the case of a migration failure, what is the best way to roll back?

    Thanks

    Tuesday, October 22, 2019 10:18 AM

Answers

  • Hi,

    >>If I create another Computer Certificate and give it the correct rights, why is it not listed as an option here in addition to computer, domain controller, enrolment agent and ipsec?

    From the article Automatic Certificate Request Settings, we can see:

    ACRS is an automated enrollment process that is available in Windows 2000 Certificate Services and remains available in Windows Server 2003 Certificate Services. ACRS provides a method to automatically distribute certificates, but the supported scenarios are limited:
    ■ Certificates can be distributed to Windows 2000, Windows XP, and Windows Server 2003 computers that are domain members.
    ■ Only version 1 certificate templates can be distributed.
    ■ Certificates cannot be distributed to user accounts.

    So if we duplicate a certificate, we need to change the version to 1 in ADSI.



    Then issue the certificate and we will see it in GPO.



    >>how do we know it is pointing to the new server as it doesn't specify the server or CA name.


    We can define the different certificate template name on different CA server.



    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 25, 2019 9:04 AM
    Moderator

All replies

  • Hello,

    Thank you for posting in our TechNet forum.

    Here are the answers for our questions:


    Q1:
    I want to understand how certificates auto-renew themselves. I cannot find any GPO so not sure exactly how this works. Does CA control this, AD or the actual cert

    A1: From the article How Certificates Work, we can see:

    Renewal period. The time before the validity period expires when the certificate will be renewed, if reenrollment is supported for the certificate template. By default, the minimum renewal period is 80 percent of the certificate lifetime or 6 weeks, whichever is greater.


    And from the third-part article Tips for Certificate Auto-Enrollment Issuance, we can see: 

    Renewal. This is the most misunderstood part of the auto-enroll process. Every certificate issued has a renewal period as part of the template. This does not necessarily mean that the certificate will renew at the exact beginning of that period. For renewal of auto-enrolled certificates, two time frames exist before the action is taken.

    First the certificate has to have completed 80% of its validity period and be within the renewal period. So as an example, a certificate that is valid for 1 year reaches the 80% mark at around 41.5 weeks and if the cert has a 6 week renewal period, then the renewal would happen at the 46 week period. So this would happen during the renewal period.



    For certificates auto renewal, we need to configure two settings:

    1. We need to set up the GPO:

    Computer Certificates Auto-Enrollment (if it is machine certificate)

    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies >Certificates Services Client – Auto-Enrollment

    And

    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings > New > Automatic Certificate Request.

    User certificates Auto-Enrollment (if it is user certificate)

    User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies >Certificates Services Client – Auto-Enrollment

      
    For details we can refer to the article Set Up Automatic Certificate Enrollment (Autoenroll).

    2. We need to check the Read, Enroll and Autoenroll permissions for specific group or user on the certificate template.



    Here is a similar case Renewal of Auto-enrolled certificates made through web enrollment.



    Q2: From the above migration plan, if I am to remove the SubCA from the domain and change the computer name so that I can add this to the new 2019 server. In the case of a migration failure, what is the best way to roll back?

    A2: We recommend not removing SubCA from the domain, adding a new 2019 server to the domain, and migrating the CA from 2008 R2 to 2019, if the CA environment is running normally, and then until the last certificate issued by the old 2008 R2 CA is expired, or until the last valid certificate has been reissued by the new CA server, at last, we can retire the old 2008 R2 CA server.


    From the article Performing the Upgrade or Migration, we can see:

    When migrating a CA, the computer name of the target computer can differ from the computer name of the source computer, but the CA name must stay the same. 


    And from the article Migrating AD Certificate Services from Windows Server 2008 to Windows Server 2016, we can see:

    Unfortunately we cannot migrate the CA database directly form Server 2008 to Server 2016 because the JET database engine changed so much between the two versions that if we restore the backup we get a JET version error at startup and the CA won't start.

    But if we add one more step we can successfully fulfill the above tasks.

    This additional step is to first restore the DB backup to a Server 2012 R2 CA and then backup the DB again form there. This new backup now can be restored to the Server 2016 CA or the Server 2019 CA.



    Reference:
    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

    https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/

    Tip 1: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience. 

    Tip 2: Each of the CA migration steps contains a lot of operations, please test it in the test environment first, so as to avoid problems in the production environment, or it can be better solved. If there are no problems in the test environment, we will operate in a production environment.




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact 

    Wednesday, October 23, 2019 7:14 AM
    Moderator
  • Hi

    With regards to A1:

    I have checked and managed to find a GPO which is adding the certificate from the CA. My question is that when I right-click and go through the Automatic Certificate Request Setup, how does it find the list specified:

    located: GPO\Computer Configuration\Policies\windows settings\security settings\Public Key Policies\Automatic Certificate Request Settings:

    It currently says computer, Domain Controller, Enrollment Agent (Computer), IPSec. (Sorry cannot post an image as says my account is not verified)

    The reason I ask is that when I have migrated to a new CA server, how does this list get updated and how do we know it is pointing to the new server as it doesn't specify the server or CA name.

    Thanks

    I will come back to A2 later once I understand the above.

    Thursday, October 24, 2019 9:22 AM
  • Also, If I create another Computer Certificate and give it the correct rights, why is it not listed as an option here in addition to computer, domain controller, enrolment agent and ipsec? 

    located: GPO\Computer Configuration\Policies\windows settings\security settings\Public Key Policies\Automatic Certificate Request Settings

    Thursday, October 24, 2019 1:42 PM
  • Hi,

    >>If I create another Computer Certificate and give it the correct rights, why is it not listed as an option here in addition to computer, domain controller, enrolment agent and ipsec?

    From the article Automatic Certificate Request Settings, we can see:

    ACRS is an automated enrollment process that is available in Windows 2000 Certificate Services and remains available in Windows Server 2003 Certificate Services. ACRS provides a method to automatically distribute certificates, but the supported scenarios are limited:
    ■ Certificates can be distributed to Windows 2000, Windows XP, and Windows Server 2003 computers that are domain members.
    ■ Only version 1 certificate templates can be distributed.
    ■ Certificates cannot be distributed to user accounts.

    So if we duplicate a certificate, we need to change the version to 1 in ADSI.



    Then issue the certificate and we will see it in GPO.



    >>how do we know it is pointing to the new server as it doesn't specify the server or CA name.


    We can define the different certificate template name on different CA server.



    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 25, 2019 9:04 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 28, 2019 8:50 AM
    Moderator
  • Hi, 

    So far excellent, I have managed to create a certificate and change its version to 1 and that works correctly. 

    I read that you can auto-enrol certificates in this manner: https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    When I tried to follow this guide, my computer would not auto-enrol. Any ideas? do you have a step by step guide in doing this for server 2008r2 (will server 2019 be different)

    Thanks

    Monday, October 28, 2019 2:30 PM
  • Ok, update to this. 

    I have managed to get a certificate to auto-enrol :-) 

    What I noticed though is that in the Certificate Authority MMC, under issued certificates, it will display the issued certificate but whereas other machines would show "Computer" as the certificate template, this shows a series of numbers 1.3.6.1.....etc as the certificate template even though the certificate template name is "Computer Autoenroll". When I created this, I right-clicked on the Computer template, selected duplicate template and selected "Windows server 2008 Enterprise" and then created the template. 

    Any idea? its just that it makes it easier to identify which template is handing out the certificates

    Monday, October 28, 2019 3:24 PM
  • Hi,
    I have seen the sutuation before in my test environment.

    According to my knowledge and experience, maybe it has a network delay. We can wait for a while, then check if it display the certificate templates correct instead of unmbers.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 29, 2019 9:36 AM
    Moderator
  • Hi Daisy, 

    Ok. So onto the 2nd part. 

    Microsoft suggest migration from 2008r2 to 2012 and keeping the server name the same. Do you have a guide on changing the server name and additional steps required. 

    Thanks

    Tuesday, October 29, 2019 3:12 PM
  • Hi,
    Thank you for your update and mark my reply as answer.

    Do we mean we keep the server name the same or the CA name the same?


    Best Regards,
    Daisy Zhou



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 30, 2019 1:03 AM
    Moderator
  • Keep the CAname the same, but the server name different, that way the 2008r2 server can be powered on in a migration failure issue.

    To be honest, I have gone through lots of articles and majority point to keeping the hostname and caname the same during the migration, but my concern was mainly around a failure and how to revert back to pre-migration. If I take this step, do you have a guide on how to revert back in this scenario?

    Thanks

    Wednesday, October 30, 2019 8:40 AM
  • If you follow this guide: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140%28v%3dws.10%29#backing-up-capolicyinf

    What you notice is a section called: removing the source server from the domain, it is here where it gets confusing as if you go by this documentation then you are removing from the domain as you intend to use the same computer name for this destination server. 

    Let me know what you think

    Thursday, October 31, 2019 12:28 PM
  • Hi Daisy, any advise?
    Monday, November 4, 2019 3:49 PM
  • Hi,
    We can keep the same CA name and different machine name. During our CA migration, we can keep the CA in our domain.

    Tip: Because every the CA migration step contains a lot of operations, I suggest we had better test the CA migration in our lab before we migrate CA in our production environment. If anything is OK in our lab, we can perform the operations in our production environment.


    Hope everything will be OK.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 19, 2019 4:32 AM
    Moderator