ADCS Migration Windows Certification Authority

12 April 2020 Off By Rached CHADER

Migration Windows certification authority to server with another name

On the ‘Source’ server, open the certificate services management console

Right click on the CA name => All tasks => Save.

The backup wizard will open, Check both options

Select a backup location => Next.

Set a password, Next => Finish.

We now need to make a backup of the registry key that contains the information for this CA server. Run ‘regedit’.

Export a copy of this registry key which is found in: HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> CertSvc> Configuration> { Name of your CA }

We must now uninstall the CA service from this server.

Go to Server Manager => Manage => Delete roles and services => Next.

Remove all CA role services first!

Again and select “Active Directory Certificate Services” => In the pop-up window, select “Remove Features” => Next.

Install the certificate service on the new server

On the new Server go to Server Manager => Add roles and functionalities => Next.

Select “Active Directory Certificate Services” => Add Features => Next.

Next => Close.

 

Configure the certificate service on the new server

Next => Enterprise Certification Authority => Root Certification Authority => Next.

Select ‘Use existing private key’ => Select ‘Select a certificate and use its associated private key’ => Next

Import => Browse => In your backup folder locate the certificate => Enter the password => OK => Select the certificate => Next.

Leave everything else by default

Once the installation is finished, you will have to stop the certificate services

From a command prompt in administrator mode type: net stop certsvc

If your new server has a different host name / FQDN, open the registry file you exported above with Notepad, locate and replace the entry CAServerName with the name of the NEW server.

Right click on the registry backup => Merge => Yes => OK.

Launch the certificate services management console => Right-click on the name of the certification authority => All tasks => Restore the certification authority.

The restore wizard starts => Next => Navigate to the folder with your backup => Next => Enter the password you used => Next => Finish.

Once complete, you will be prompted to start the Certificate Services service => Yes.

Your CA has been migrated you can request a certificate to see if everything is good.

Views: 1780