none
Migration of Intermediate CA role from existing Win 2008 R2 to Win 2012 R2 STD RRS feed

  • Pergunta

  • Hello Windows Server experts, 

    I need some help in migrating my Intermediate CA role with all the issued certificates intact from existing Win 2008 R2 server to Win 2012 r2 OS. Below are the steps I tried but getting stuck to progress further to complete the task. 

    Objective: Build a new Vm with Win 2012 R2 - Migrate the CA role to new server with all issued certs - at Cutover, shutdown Source server and rename the Target server to use existing Server name - activate new server as new Intermediate CA server and after 2-3 weeks decommission the ole server. 

    Steps taken: 

    1. Taken Clone of the source VM, changed the SSID and hostname - performed Inplace OS upgrade to Win 2012 r2 STD. But after the OS upgrade the 'Certificate Authority' role was no more showing installed on it. So couldn't proceed and can't take risk of performing Inplace OS upgrade on source server as multiple system and application is using certs issued by this server and any issue with inplace upgrade on actual server may result in invalidation of certs. 

    2. Built a parallel VM with vanilla Win 2012 r2 OS and applied latest security Patches on it. Took 'Backup of CA' from Source and 'Restored CA' at new server. Here I have 2 challenges : 

    a. For integrating intermediate CA with Enterprise Root CA, I need to create a Certificate request file (.req) from new Intermediate CA and then only I can issue cert against it from Enterprise Root CA and get it installed on the new Intermediate CA. How can I create this as at new Intermediate CA, I do not get drop down menu to choose 'Subordinate CA' when tried accessing http:\\<ServerIPAddress>\CertSrv - getting error https has to be enabled (for this i believe a cert has to be chosen at IIS to have port 443 enabled). 

    b. Do I have to manually migrate all the Personal certs from existing Intermediate CA on Win 2008 to new server running Win 2012 R2 ? 

    Please advise to achieve this migration without breaking the integrity of the Licenses issued or going to be issued.


    quinta-feira, 12 de setembro de 2019 20:27

Todas as Respostas

  • The CA security experts hang out over here in dedicated forum.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    quinta-feira, 12 de setembro de 2019 20:46
  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, for CA migration we can refer to the blogs 
    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2.


    Considerations for migrating a CA to a new machine:

    1. Before CA migration, we need to check the CA function is OK (check through pkiview.msc).

    2. When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

    3. By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

    4. During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.


    For Qa: According to the above blogs, on the new intermediate CA, we do not need to request certificate from Enterprise Root CA.

    For Qb: If we need all the Personal certs on Win 2008, we can request the certificates again on 2012 R2 or re-issue these certificates to 2012 R2.


    For more information, we can refer to the two articles.

    Performing the Upgrade or Migration

    AD CS Migration: Migrating the Certification Authority



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    sexta-feira, 13 de setembro de 2019 10:00
    Moderador
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    segunda-feira, 16 de setembro de 2019 01:16
    Moderador
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
     
    Again thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    quarta-feira, 18 de setembro de 2019 02:02
    Moderador
  • Hi Daisy,

    Appreciate your response and solution suggested & follow up. We are planning for implementation on coming weekend. 

    I do need advise on below to ensure smooth migration and no impact on existing issued certs (being used by multiple desktops, mobile devices and apps). 

    Approach planned:

    1. Build a vanilla server with Win 2012 r2 OS. 

    2. Take Backup of Certs from Source server as referred in Link (Step-by-Step AD CS migration from 2003 to 2012 r2).

    3. Shutdown the source server (Just in case if any issue encountered, Change Rollback would be to Power ON source server as it was).

    We do not intend to Un-install the AD CS on source just yet. Once Source is powered down, we will have the target server (win 2012 R2) brough into network with Same Hostname and IP address to avoid any conflict with CRLs as advised above. 

    4. Install the AD CS on Target server using Enterprise Admin and then Restore the Certs along with Private keys used to take backup at source (as mentioned in #2).

    5. Either get personal certs re-issued or export and import from source to Target server. 

    Queries

    i) How can I ensure the integration of Enterprise Root CA server with my new Intermediate CA server ?

    ii) Can I have 2 Intermediate CA server in a domain serving the same purpose at a given time with different host names but the same CA issuer ?

    Let me know your input if have done similar activity alone. I do not want to risk of getting the exiting valid certs get nullified. 

    domingo, 22 de setembro de 2019 21:42
  • Hi,

    A1: I am sorry, I did not do such test or activity. Remember we had better test it in test environment before we perform related operations in our production environment.

    A2:Yes, we can have more than one issuing CA servers in one domain.


    Reference:
    Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 1 and Part 2 and Part 3



    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    terça-feira, 24 de setembro de 2019 09:58
    Moderador
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    sexta-feira, 27 de setembro de 2019 09:29
    Moderador