none
import an entire PKI in Windows Sever 2008

    Question

  • Hi,

    I would like to import an old PKI I have on a netasq in windows server.

    So I would need to import rootCA, every subCA and every end users.

    Is that possible with windows server PKI Entreprise ?

    Best Regards

    Tuesday, June 24, 2014 2:27 PM

Answers

  • There is no default import option for data from other PKI platforms as there are many details not exactly covered by standards (such as renewal of a CA...) but I would test the following:

    Pre-requisites:

    • Keys and certificates of the CAs available as PKCS#12 files
    • All certificates of end-entities available as BASE64 or DER encoded files.
    • Know CDP and AIA URLs, make sure that a Windows user or the CA machine will be able to publish CRL / CRT files there.

    Main steps:

    • Import keys
    • Setup new Windows CAs with the option to use existing keys and certificates.
    • Configure the Windows PKI with CDP and AIA URLs as before / setup OCSP if required / configure CRL validity times...
    • Import all certificate files to the Windows CA databases.
    • Publish new CRLs
    • Issue new certificates
    • Check if certificates issued before and after this migration can be validated.

    If the other PKI supports e.g. renewal or archival of user keys additional configuration would be required. There is also some chance that the other PKI used specific attributes in CA certificates that the Windows PKI might not like - so test it carefully.

    Elke

    Tuesday, June 24, 2014 3:36 PM