Move a CA to a Different Computer

Applies To: Windows Server 2008

Important

This topic is superseded by AD CS Migration: Migrating the Certification Authority (https://go.microsoft.com/fwlink/?LinkID=195052). Please, use the instructions in that article instead.

This topic remains in place to help people discover the updated article, ensure bookmarks are not broken, and for historical purposes.

Certification authorities (CAs) are configured to exist for many years or decades, during which time you may want to upgrade the hardware and operating system that supports the CA.

Moving a CA from one computer to a second computer involves the following procedures:

  • Backing up the CA on the first computer

  • Restoring the CA on the second computer

To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server® 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.

  • To upgrade Windows first: Upgrade the first server from Windows Server 2003 to Windows Server 2008, back up the CA on this server, and then restore the CA on a second server running Windows Server 2008.

  • To move the CA first: Back up the CA on a computer running Windows Server 2003, restore the CA on a second computer running Windows Server 2003, and then upgrade the second server to Windows Server 2008.

You must be a CA administrator to complete this procedure. For more information, see Implement Role-Based Administration.

To back up a CA

  1. Open the Certification Authority snap-in.

  2. If you are backing up an enterprise CA, click Certificate Templates for the CA, and record the names of the certificate templates that are listed.

Note

Certificate template settings are stored in Active Directory Domain Services (AD DS) and are not automatically backed up. You will need to manually add the certificate templates that you need to the new CA.

  1. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

  2. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes.

  3. Specify an empty folder or storage media as the backup location, and then click Next.

  4. Type a password for the CA private key backup file, and type it a second time to confirm the password.

  5. Click Next, verify that the Private Key and CA Certificate and Issued Log and Pending Requests backup settings are displayed, and then click Finish.

  6. Click Start, click Run, type regedit, and then click OK.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

  1. Locate and right-click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

  2. Click Export.

  3. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

  4. Uninstall the CA from the old server, and then rename the old server or permanently disconnect it from the network.

Before you begin the restore procedure, confirm that the %Systemroot% folder of the target server running Windows Server 2008 matches the %Systemroot% folder of the server from which the backup is taken.

In addition, the location of the CA restore must match the location of the CA backup. For example, if you back up the CA from the D:\Winnt\System32\Certlog folder, you must restore the backup to the D:\Winnt\System32\Certlog folder. After you restore the backup, you can move the CA database files to a different location.

Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. If this is an enterprise CA, membership in DomainAdmins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To restore a CA on a new server from a backup copy

  1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

    For more information, see Types of Certification Authorities.

Note

You must have a network connection to a domain controller in order to install an enterprise CA.

  1. On the Specify CA Type page, click the appropriate CA type, and then click Next.

  2. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

  3. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

  4. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

  5. Click Next two times.

  6. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.

    For more information, see Certificates Database.

  7. On the Confirm Installation Options page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Install and wait until the setup process has finished.

  8. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

  9. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

  1. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open theCertification Authority Restore Wizard.

  2. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes.

  3. Type the backup folder location, and then click Next.

  4. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed.

  5. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

  6. If this is an enterprise CA, restore the certificate templates from AD DS that you recorded in the previous procedure. For more information, see Add a Certificate Template to a Certification Authority.

Additional references