In this series we will be going through the main steps to migrate and move our Enterprise Subordinate Certification Authority from Windows 2008 R2 server to Windows 2012 R2 Server (Side by Side move). In Part 1 of this series I will be discussing the main requirements and preparation done on the Source Server (CA on 2008 R2)
Key things to note:
- If you would like to have the new CA server computer name same as the old one then you will need to decommission and remove the old server from the domain prior to building the new server. In our case i will keep the old server (Just disable the Certificate Windows services) and have the new server with new name (Just in case you need to revert back at any time)
- During the Migration and setup of CA on the new server no certificates or CRLs will be issued. Its preferred to run this after hours. Plan to publish a CRL that will cover the downtime period.
- User running the migration should be member of Enterprise Admins or Domain Admins group.
- Publish a new CRL to ensure that your migration period is covered. Open Certification Authority – Right Click Revoked Certificates – All Tasks – Publish
- Take a backup from the Current Source CA (2008R2 server) – Right Click Certification Authority – All Tasks – Back Up CA Make sure to pick both check boxes as shown above (Private Key, CA Cert and DB). Store them in a dedicated empty folder (will be copied later to the destination server).
- After picking a password and finishing the Wizard check the Backup folder (In our case C:CA_Backup). We should have a CAname.P12 file and a Database folder.
- Next step will be taking a backup from the CA configuration in the registry as another check point/line of defense (hopefully won’t be needed). Navigate to HKLMSYSTEMCurrentControlSetServicesCertSvcConfiguration and right click configuration and take an Export and save the output REG file in the same Backup location.
- If a Custom CApolicy is used then we need to copy the CApolicy.inf file from the C:Windows (Default location) to the backup folder created earlier.
- Final step to be done on the Source CA server is to stop the certification Authority service and change its start up to be disabled in case anyone by mistake tried to start it (Remember we will be keeping the source server for some time till everything is up on the new server)