MSExchangeGuru.com

Root CA is a key component of any organization so it is critical to keep the Root CA up and running all the time. When it comes to the migration of Root CA there is no straight forward step or tool to do it.

Root CA server is one of the most critical business server so we always recommend to do this activity during a full change windows with a declared outage of Root CA. This means all the root CA validations can’t be done at this time. Also no new cert, renew cert, revoke cert can be done during this time.

It will be divided into 4 steps mentioned below:

1. Backup Root CA
   
2. Uninstall Root CA and Domain controller
   
3. Install New Root CA server
   
4. Restore the Root CA backup
   

Do all the activity with a login id which is a member of domain admins, Enterprise admins and local administrator Group.

Backup Root CA

We need to back up the following:

• System State: This will back up your AD. This can be done through normal windows backup. This is too be on the safer side.
  

• Certification Authority (CA) Database, Log, and Private Key backup
  

      Open Certification Authority MMC.

In the CA console, right-click your CA in the left pane, select All Tasks from the menu and then select Backup CA.

In the Certification Authority Backup Wizard, click Next on the welcome screen.

On the Items to Back Up screen, check Private key and CA certificate and Certificate database and certificate database log.

Click Browse to the Back up to this location, select an empty folder to store the backup files, and click Next to continue.

On the Select a Password screen, enter and confirm a password to protect the private key and CA certificate. Click Next to continue.

Click Finish on the completion screen.

Now right-click the PowerShell icon on the desktop taskbar and select Run as Administrator from the context menu.

Type net stop certsvc and press Enter to make sure the CA cannot issue certificates.

• Registry key from here: HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
  

• Certificate Templates: Open the PowerShell command prompt with run as administrator, run the below mentioned command 
           certutil.exe –catemplates > “c:\Temp\CAbackup\templates.txt”
• CA Policy file: If you have a customized CAPolicy.inf then copy it from %systemroot% directory. If will not exist if you have not used.
  

 

Uninstall Root CA and Domain controller

• Run the below mentioned command in the PowerShell or remove from system manage GUI
  

                     Remove-WindowsFeature Adcs-Cert-Authority

• If it is domain controller, then uninstall AD and DNS from this server.
  
• Perform the AD and DNS cleanup for this domain controller.
  
• Rename the server, change the IP and disjoined the server from the domain
  
• Replicate the changes to all the domain controllers in the forest.
  

Next step should be only followed after replication has been successful.

 

Install New Root CA server

• Install windows 2012 R2.
  
• Give the same name as old Root CA.
  
• Join the domain
  
• Replicate AD. Make sure computer object is visible in all AD sites else you may face the issue which is mentioned here.
  
• Open PowerShell with Run as Administrator and run the below mentioned commands.
  

  Add-WindowsFeature ADCS-Cert-Authority –IncludeManagementTools
  

• Install ADDS module from system manager.
  
• Run the following commands in the powershell
  

  Import-module Activedirectory
  

  Install-AdcsCertificationAuthority –CAType EnterpriseRootCA -CertFile “C:\temp\filename.p12” -CertFilePassword (read-host “Set user password” -assecurestring)
  

  Type the password for the file when prompted, then confirm it.
  

  Make sure to see no error as mentioned here.
  

 

Restore the Root CA backup

Copy all the back up to this server

• Restore Database
  

  Open Certification Authority.
  

  In the CA console, right-click your new CA in the left pane, select All Tasks from the menu and then Restore CA.
  

  If you are prompted to stop the Active Directory Certificate Service, click OK continue.
  

  In the Certification Authority Restore Wizard, click Next on the welcome screen.
  

  On the Items to Restore screen, check Private key and CA certificate and Certificate database and certificate database log.
  

  Click Browse to the backup copied location to restore from this location. Give one level up than backup location where the backup files are located, click OK in the Browse for Folder window and then Next to continue in the wizard.
  

  On the Provide a Password screen, enter the password we had given while taking backup to protect the private key and CA certificate. Click Next to continue.
  

  Click Finish on the completion screen.
  

  You should now be prompted to restart the AD CS service. Click Yes to confirm the operation.
  

• Registry restore:
  

  -Stop the ADCS service either from services.msc or by running the command
  

  net stop certsvc
  

  -Backup the below mentioned current registry configuration
  

  HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
  

  -Double click on the copied registry file. When prompted click yes to update the registry.
  

• Restore Template
  

              On the PowerShell, run the below command This command will add the DirectoryEmailReplication template in AD to the list of CA templates, if it doesn’t already exist. You can get a list of the templates by opening the catemplates.txt file saved as part of the backup procedure.

                certutil -setcatemplates +DirectoryEmailReplication.

• Restore Policy INF:    
  

  If we found a customized CAPolicy.inf then copy it to %systemroot% directory
  

• Restore Permissions:
  

  Open Active Directory Site and services
  

          On the View menu, click Show services node.

           In the console tree, expand Services, expand Public Key Services, and then click AIA.

           In the details pane, right-click the name of the CA, and then click Properties.

           Click the Security tab, and then click Add.

           Click Object Types, click Computers, and then click OK.

           Type the name of the CA, and click OK.

          In the Allow column, click Full Control, and click Apply.

          The previous CA computer object is displayed (as Account Unknown with a security identifier following it) in Group or user names. You can remove that account. To do so, select it and then click Remove. Click OK.

          In the console tree, expand CDP, and then click the folder with the same name as the CA.

          In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.

         Click the Security tab, and then click Add.

         Click Object Types, click Computers, and then click OK.

         Type the name of the destination server, and click OK.

         In the Allow column, click Full Control, and click Apply.

         The previous CA computer object is displayed (as Account Unknown with a security identifier following it) in Group or user names. You can remove that account. To do so, select it and then click Remove. Click OK.

 

 

Start the ADCS service from services.msc or by running the command in the powershell

net start certsvc.

 

Reference: https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx#BKMK_GrantPermsAIA

 

Prabhat Nigam

Microsoft MVP | Exchange Server

Team@MSExchangeGuru

.

Finish the restore process by making sure that you restart the AD CS service, by typing net start certsvc and pressing Enterat an elevated command prompt.

Posted January 24th, 2016 under Certificate Authority. Tags: Migrate Root CA
RSS 2.0 feed. Leave a response, or trackback.