Issuing CA migration steps

CA Migration Steps

Required Components

• Copy of the source CA’s Policy CAPolicy.inf file.

• List of the source CA’s Certificate Templates

• Copies of source CA’s certification chain (includes root CA, policy CA and all source issuing CA certificates)

• Copy of the backup of the original Issuing CA’s Database

• Backup of the CA’s original registry configuration:

HKLM\SYSTEM\CurrentControlSet\Service\CertSvc

• Method to transfer this data from the Source CA to the both members of the Destination CA cluster

  • Network (SMB) transfer would be easiest

  • Recommend also copying files to a USB stick so that a second copy of these resources exist

Permissions required to complete the migration

To install an enterprise CA or a standalone CA on a domain member computer, you must be a member of the Enterprise Admins group or Domain Admins group in the domain. To install a standalone CA on a server that is not a domain member, you must be a member of the local Administrators group. Removal of the CA role service from the source server has the same group membership requirements as installation.

High-level migration steps

Migrate from a 2003 CA to a 2008 CA (Note: I have tested these steps for migration to 2012 CA as well)

• Check that CRLs have a validity period that extends past expected migration duration

• Backup source CA Database

• Record settings on CA Property tabs

  • Security

  • Audit

• Stop and Disable Certificate Services on Source CA

• Shutdown Source CA

  • Note: If the migration is successful, do not start certificate services on the Source CA at a later date.  Also, do not remove the certificate services role from the server.  Either action will update Active Directory with stale or intentionally abandoned information, impacting the current CA service availability.

• Restore destination CA(s) - on both Node members:

  • Copy CAPolicy.inf from source CA to destination CA(s).

  • Import entire CA cert chain, including issuing CA certificate(s)

    • Note: If the CA certificate has ever been renewed, there will be multiple

  • Add the ADCS role, indicating that it should use the most recent existing private key and certificate

**

**

Tasks on Source CA

Note that all files should be copied to a USB stick or a network share accessible by both the source and destination CA servers.

Item	Description
1.	Check that CRLs have a validity period that extends past expected migration duration   If not, publish CRLs - ensure that published CRLs have a duration that is reasonably longer than the estimated duration of the migration.
2.	Backup existing CA templates list   From a cmd.exe window, run:   certutil -catemplates > catemplates.txt   Or   Open “Certification Authority” and expand the tree to display “Certificate Templates”.  Screenshot or manually record listed templates.
3.	Backup CA database (Requires Domain Administrator)   Opening a cmd.exe window and run:   certutil.exe –backupdb  <BackupDirectory>   Or   In the “Certification Authority” window, right-click the CA Name, navigate to “All Tasks” > “Back up…” and backup just the CA database and log.   Do not perform an incremental back.  Do not export the private key and certificate.  We have already backed up the certificate and we will back up the private key using an HSM-specific process in the next step.
4.	Backup CA Certificate and certificate chain   Open cmd.exe window and run the following:   certutil -ca.cert cacert.cert <Index#>   And repeat for each certificate index.  There will be multiple certificates if this particular CA has ever been renewed.   certutil -ca.chain cachain.p7b <Index#>   Or   Right-click on the CA name, select “Properties” and copy the CA’s certificate to a file as a p7b file, including the full certification chain.   There may be multiple CA Certificates listed - repeat, creating a new p7b for each.
5.	Record CA Security Settings   Right click on the CA name, select Properties and view the Security Tab.   Record these settings for destination CAs.
6.	Record CA Audit Settings   Right click on the CA name, select Properties and view the audit tab.   Record these settings so they can be applied to the destination CAs.
7.	Backup the CA Registry   Open a cmd.exe windows and run:   reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration <output file.reg>   OR   Using Regedit, navigate to “HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration” - right-click this key and export it to a file.
8.	Backup CAPolicy.inf   Copy the file from %SYSTEMROOT%, which is usually “C:\Windows” to the USB stick storage location.
9.	Optional: Remove the CA Role from the source computer (Requires Domain Administrator)   Please see this note from Microsoft:   "Although it is not recommended, some administrators may choose to leave the CA role service installed on the source server to enable the source CA to be brought online quickly in the case of migration failure. If you choose not to remove the CA role service from the source server before installing the CA role service on the destination server, it is important that you disable the Active Directory Certificate Services service (Certsvc) and shut down the source server before installing the CA role service on the destination server. Do not remove the CA role service from the source server after completing the migration to the destination server. Removing the CA role service from the source server after migrating to the destination server interferes with the operation of the destination CA." [MS TechNet]   If you do not wish to remove the ADCS role from the source server, perform the following actions:   1.     Stop and disable certsvc. 2.     Power off server.
10.	Optional:   Remove the source server from the domain.   Please note that if the source and destination server have different hostnames, this step is not necessary.  It is only required if the destination hostname is the same as the source hostname.

Target Issuing CA

Item	Description
1.	Install root, policy, and issuing certificate into appropriate certificate stores, if necessary.   Open all the .p7b files containing the CA’s certification chain(s).   Open an “mmc.exe” instance and add the Certificates snap-in to display Local Computer Certificates.   Compare the certificate contents listed in each file to certificates listed in “Trusted Root Certification Authorities” and “Intermediate Certification Authorities” certificate folders.
2.	From the each p7b file, extract the Issuing CA certificate to a file as “Base-64 encoded x.509 (.CER)” and save it to “E:\CA Certificates\<CA Name> Cert <#>.cer”.   If you have 2 certificates, you should then end up with the following files: ·         “E:\CA Certificates\Issuing CA Cert 0.cer” ·         “E:\CA Certificates\Issuing CA Cert 1.cer”
3.	Add the Issuing certificate from the “E:\CA Certificates” to the user’s local Certificate Store.   In the second command window, run the following command:   certutil -addstore My “E:\Issuing CA Cert\<CA Name> Cert <#>.cer”   Note that the filename (and path) may change based on the name of the CA name selected.   Make sure that this is repeated for each certificate.
4.	List the serial number of the certificate.   In the second command window, run the following command:   certutil -store -v My “<CA Name>” | findstr Serial
5.	Note the Serial Number(s) of the certificate(s) output by the previous command.
6.	Copy source Source CA’s “CAPolicy.inf” to %SYSTEMROOT% (which should be “C:\Windows”) of destination CA   Note: Administrator rights are required.
7.	Add Active Directory Certificate Services role   Note - Requires Enterprise Administrator   From the “Start” button, choose “Run” then enter “servermanager.msc” and click OK.
8.	On the “Add Roles Wizard”, click “Next”
9.	On the “Add Roles Wizard”, check “Active Directory Certificate Services” and click “Next”
10.	On the “Introduction to Active Directory Services” Windows, click “Next”
11.	On the “Select Role Services” window, click “Next”.
12.	On the “Specify Setup Type” windows, select “Enterprise” and click “Next”.
13.	On the “Specify CA Type” window, select “Subordinate CA” and click “Next”.
14.	On the “Set Up Private Key” window, select “Use existing private key”, then “Select a certificate and use its associated private key.” then click “Next”.
15.	On the “Select Existing Certificate” window select the most recent “<CA NAME>” certificate and click “Next”
16.	On the “Select Existing Certificate” window, check the box next to “Allow Administrator interaction each time the key is loaded…”
17.	On the “Configure Certificate Database” window, click “Browse” next to “Certificate database location:” and change settings to point at location for e.g- “V:\PKI\Certdb”.
18.	On the “Configure Certificate Database” window, click “Browse” next to “Certificate database log location:” change settings to point at the location for e.g - “V:\PKI\Certlog” and click “Next”.
19.	On the “Confirm Installation Selections” window, click “Install”.
20.	Should receive a “Successful Installation” message - click “Close”.
21.	On the “certsrv - [Certification Authority (Local)]” window, in the left pane, right click on “<CA NAME>” and select “All Tasks” -> “Start Service”.
22.	On the “certsrv - [Certification Authority (Local)]” window, in the left pane, right click on “<CA NAME>” and select “Properties”.
23.	On the “<CA NAME> Properties” window, click the “General” tab and then click on “View Certificate”
24.	On the “Certificate” window, click on the “Details” tab, then click on “Serial number”.  This should match the original CA certificate.
25.	On the “Certificate” window, click “OK”
26.	On the “<CA NAME> Properties” windows, click “OK”.
27.	Stop Certificate Services for now.
28.	Done with the first CA of the cluster.

** **

Restore CA database and configuration on destination server

Perform these steps on the active node - whichever is currently accessing the shared storage.

Item	Description
1.	Restore the source CA Database to the destination CA   Open a cmd.exe window and run:   “certutil.exe -f -restoredb  <CA Database Backup Directory>”   Or   In the “Certification Authority” windows, right-click the CA name then navigate to “All tasks” > “Restore CA”, check the box to “Only restore Certificate Database and Log” then specify the location of the CA Database Backup Directory.  This will be the directory above the “Database” directory.
2.	On the resulting “Certification Authority Restore Wizard” window, click “Yes”.  This is a full database backup, so there are no additional incremental backups to restore.
3.	Stop Certificate Services.
4.	Backup the current registry on the destination CA   Open a cmd.exe window and run:   reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration <output file.reg>   Or   Using Regedit, navigate to: “HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration” - right-click this key and export it.
5.	Restore the source CA registry to the destination CA   Microsoft procedures are very specific about this process.  Please use the following instructions:   "Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.   A suggested way of performing the registry configuration import is first to open the registry file you exported from the source CA in a text editor and analyze it for settings that may need to be changed or removed. The following table shows the configuration parameters that should be transferred from the source CA to the target CA." [MS TechNet]   Open a new text file and build a new file by copying and pasting the relevant items from the Source CA .reg file to the new text file.  Save this text file as Migrate<CA NAME>.reg.   Registry location Configuration parameter HKEY_LOCAL_MACHINE\system\currentcontrolset\services\certsvc\Configuration\ Copy the following entries, but do not keep the original values update them to the correct values for this installation: DBDirectory DBLogDirectory DBSystemDirectory DBTempDirectory HKEY_LOCAL_MACHINE\system\currentcontrolset\services\certsvc\Configuration LDAPFlags HKEY_LOCAL_MACHINE\system\currentcontrolset\services\certsvc\Configuration\CAname AuditFilter DSConfigDN ForceTeletex CRLEditFlags CRLFlags InterfaceFlags (required only if has been changed manually) EnforceX500NameLengths SubjectTemplate ValidityPeriod ValidityPeriodUnits KRACertHash KRACertCount KRAFlags CRLPublicationURLs CRLPeriod CRLPeriodUnits CRLOverlapPeriod CRLOverlapUnits CRLDeltaPeriod CRLDeltaPeriodUnits CRLDeltaOverlapPeriod CRLDeltaOverlapUnits CACertPublicationURLs (check for custom entries with hard-coded host names or other data specific to the source CA) CACertHash HKEY_LOCAL_MACHINE\system\currentcontrolset\services\certsvc\Configuration\CAname\ExitModules\CertificateAuthority_MicrosoftDefault.Exit PublishCertFlags HKEY_LOCAL_MACHINE\system\currentcontrolset\services\certsvc\Configuration\CAname\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy EnableRequestExtensionList EnableEnrolleeRequestExtensionList DisableExtensionList SubjectAltName SubjectAltName2 RequestDisposition EditFlags   Analyze the newly-created registry file (from [MS TechNet]) 1.   Right-click the newly-created Migration<CA NAME>.reg file. 2.   Click Edit to open the file in a text editor. 3.   Check any registry values that indicate local file paths, such as the following, to ensure drive letter names and paths are correct for the target CA. If there is a mismatch between the source and the target CA, either update the values in the file or remove them from the file so that the default settings are preserved on the target CA. These storage location settings are elected during CA setup. They exist under the Configuration registry key: ·        DBDirectory ·        DBLogDirectory ·        DBSystemDirectory ·        DBTempDirectory The following settings under the Configuration\{CA Name} registry key contain, in their default values, a local path. (Alternatively, you can update these values after importing them by using the Certification Authority snap-in. The values are located on the CA properties Extensions tab.) ·        CACertPublicationURLs ·        CRLPublicationURLs   Once the text file is analyzed, it can be imported into the target CA. By importing the source server registry settings backup into the destination server, the source CA configuration is migrated to the destination server. To import the source CA registry backup on the destination CA (from [MS TechNet]) 1.   Log on to the destination server as a member of the local Administrators group. 2.   Open a Command Prompt window. 3.   Type “net stop certsvc” and press ENTER. 4.   Type “reg import  Migration<CA NAME>.reg” and press ENTER. Edit the CA registry settings to verify the import (from [MS TechNet]) 1.   Click Start, type regedit.exe in the Search programs and files box, and press ENTER to open the Registry Editor. 2.   In the console tree, locate the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration, and click Configuration. 3.   In the details pane, double-click DBSessionCount. 4.   Click Hexadecimal. In Value data, type 64, and then click OK. 5.   Verify the locations specified in the following settings are correct for your destination server, and change them as needed to indicate the location of the CA database and log files. ·        DBDirectory ·        DBLogDirectory ·        DBSystemDirectory ·        DBTempDirectory Important (from [MS TechNet]) Complete steps 6 through 8 only if the name of your destination server is different from the name of your source server. 6.   In the console tree of the registry editor, expand Configuration, and click your CA name. 7.   Modify the values of the following registry settings by replacing the source server name with the destination server name. Note (from [MS TechNet]) In the following list, CACertFileName and ConfigurationDirectory values are created only when certain CA installation options are specified. If these two settings are not displayed, you can proceed to the next step. ·        CAServerName ·        CACertFileName ·        ConfigurationDirectory – This value should appear in Windows Registry under the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration.
6.	Verify certificate extensions on the destination CA following Microsoft’s instructions [MS TechNet]:   The steps described for importing the source CA registry settings and editing the registry in case of a server name change are intended to retain the network locations that were used by the source CA to publish CRLs and CA certificates. If the source CA was published to default Active Directory locations, after completing the previous procedure, there should be an extension with publishing options enabled and an LDAP URL that references the source server's NetBIOS name; for example,  ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>. Because many administrators configure extensions that are customized for their network environment, it is not possible to provide exact instructions for configuring CRL distribution point and authority information access extensions. Carefully review the configured locations and publishing options, and ensure that the extensions are correct according to your organization's requirements. To verify extensions by using the Certification Authority snap-in 1.   Review and modify the CRL distribution point and authority information access extensions and publishing options by following example procedures described in Specify CRL Distribution Points (http://go.microsoft.com/fwlink/?LinkID=145848). 2.   If the destination server name is different from the source server name, add an LDAP URL specifying a location that references the destination server's NetBIOS name with the substitution variable <ServerShortName>; for example ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>.
7.	Update the CRLPublicationURLs entries to account for a change in the HTTP CDP   Open Regedit and navigate to: HKLM/SYSTEM/CurrentControlSet/Services/CertSvc/<CA Name>   Double-click the “CRLPublicationURLs” key and change the http:// entry: “ap-pkipuneet-p01” to “is-pkipuneet-p01”.
8.	Restore the certificate template list, if necessary.   Because the Enterprise CAs obtain their Certificate Template List from Active Directory, the list should be correct.   Open the “catemplates.txt” file generated when backing up the source CA.   Verify that the contents of the file match the displayed Certificate Templates.   If they do not, , open a cmd.exe window and run the following:   certutil -setcatemplates + <templatelist>   Replace “<templatelist>” with a comma-separated list of the template names that are listed in the catemplates.txt file.  For example:   certutil -setcatemplates +Administrator,User,DomainController   Review the list of templates created during task “Backing up a CA templates list.”
9.	Turn on Auditing for this CA   Right-click the CA Name and select Properties.  Next, select the “Auditing” tab and check all boxes.  Acknowledge the warning box that pops up when checking the bottom box, then click “OK” to close the Properties window.
10.	Grant permissions on CDP and AIA containers   Because the host names of the destination CA cluster member are different from the source CA host name, these servers must be granted permissions on the source server's CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change. To grant permissions on the AIA and CDP containers 1.   Log on as a member of the Enterprise Admins group to a computer on which the Active Directory Sites and Services snap-in is installed. 2.   Click Start, point to Run, type dssite.msc, and then click OK. 3.   In the console tree, click the top node. 4.   On the View menu, click Show services node. 5.   In the console tree, expand Services, expand Public Key Services, and then click AIA. 6.   In the details pane, right-click the name of the source CA, and then click Properties. 7.   Click the Security tab, and then click Add. 8.   Click Object Types, click Computers, and then click OK. 9.   Type the name of the destination server, and click OK. Note: Repeat for the each Node of the cluster 10.  In the Allow column, click Full Control, and click Apply. 11.  If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK. 12.  In the console tree, expand CDP, and then click the name of the source server. 13.  In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties. 14.  Click the Security tab, and then click Add. 15.  Click Object Types, click Computers, and then click OK. 16.  Type the name of the destination server, and click OK. Note: Repeat for the each Node of the cluster 17.  In the Allow column, click Full Control, and click Apply. 18.  If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK. 19.  Repeat steps 13 through 18 for each cRLDistributionPoint item.

** **

** **

Verify the Migration

Item	Description
1.	Verify Certificate Enrollment   Start autoenrollment for user certificates by completing the following procedure or by running the following command:   “certutil.exe -pulse”   OR   Manually create a certificate signing request and issue a certificate against that request.
2.	Verify CRL publishing   If you published a certificate revocation list (CRL) with an extended validity period before beginning migration, you should change the CRL publishing period back to its pre-migration value.   To publish a CRL, open a cmd.exe window and run:   “certutil -crl”