Migrate ADCS

Migrate ADCS

Migrate ADCS

In Best practice, it is important to have an offline root certificate authority and an Subordinate certificate authority that distributes certificates. We will look at how to migrate these two server (Windows Server 2012 R2 servers to Windows Server 2019).

Migrate Root CA

The root certificate authority is an important server in a public key infrastructure. It is used to sign the certificate of the Subordinate Certification Authority so that the Subordinate CA can in turn issue certificates to servers or workstations. Note that the Root CA is a member of a workgroup and not an AD domain.

Backup Certification Authority

From the root server, go to the Server Manager console and click on Tools. Click on Certification Authority for open ADCS console.

Migrate ADCS - Open ADCS Console

Right Click on the root CA and then in the context menu select All Tasks then Back up CA.

Migrate ADCS - Open ADCS Console

A wizard appear, click on Next.

Migrate ADCS - Backup Ca

Select the Private Key and CA Certificate and Certificate Database and certification database log options and specify the destination folder.

Migrate ADCS - Backup log and database

Enter the desired password and click on Next.

Migrate ADCS -  Enter password

Click on Finish for begin backup.

Backup is now ok

Backup Registry Key

The registry key must be bacjup ed for migrate server. From the Root Certification Authority, open registry editor and access to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc.

Migrate ADCS - Backup Registry

Right click on CertSvc then click on Export.

Export registry key

Backup the file on the desired folder.

Registry key is exported

Since the source server is not a member of the AD domain, there is no need to delete the ADCS role. Nevertheless the VM must be switched off, after the migration it will be permanently deleted. Copy the préviously created file on the new root CA server and switched off the VM.

Copy file on new Root CA

Configure a new root server

From the Server Manager console, rename the server so that it has the name of the old root certification authority.

Change name and ip address

Click on Add Roles and Features to install the role.

Add ADCS Roles

Check Active Directory Certificate Service and click on Next.

Check Active Directory Certificates Services

Check Certificate Authority and Certification Authority Web Enrollment.

Select ADCS Role Services

There is no need to modify the IIS role services. Click Install to proceed with the role installation.

Install ADCSé

A new notification appear on Server Manager console, click on Configure Active Directory Certificate Services.

Configure ADCS

A new wizard appear, click on Next.

A new wizard appear

Check the two options previously installed then click on Next.

Check previously installed options

Check Standalone CA and click on Next.

Select Standalone CA Choice

Select Root CA and click on Next.

Select Root CA

It is very important to select the private key of the former root certification authority. Do not create a new private key. Check Use existing private key then Select a certificate and use it’s associated private key.

Select private key

Click on Import to select certificate.

Import certificate

Clcik on Browse and select the certificate. The certificate is present in the folder that contains the backup. As a reminder, this folder was previously copied to the new root server.

Select Root certificate

Enter the password configured at the time of backup and click on OK.

Enter password of the certificate

The certificate has been selected. Select the certificate and click on Next.

The certificate has been selected

Click on Configure to proceed to configuration.

Configure Root Certification authority

Click on Close. The Root Certification Authority is now been configured.

Restore Root Certification Authority

From the Certification Authority console, right click on the Root Certification Authority then click on Restore CA.

Restore CA

A new message appear, click on OK.

Start the service ADCS

A wizard appear, click on Next.

A new Wizard Appear click on Next

Check Private key and CA certificate and Certificate database and certificate database log option. With Browse button, select the folder previously copied on the server.

Check options and select folder

Enter the password configured during the backup of the old root certification authority.

Enter password configured during the backup

Click on Finish. Click on Yes for start Active Directory Certificate Services.

Start the service

The restoration was well done. You can see the certificates issued before the migration.

Restoration was well done

Right click on the previously generated reg file and click on Merge.

Merge Registry key

A warning message appears, click on Yes.

Merge Registry key

Click on OK. The registry has been merged.

Migrate Subordinate CA

Before proceeding with the migration of the Subordinate certification authority, it is necessary to list the available models. After the migration, these templates will have to be added.

List of available template in PKI

Backup Certification Authority

From the Certification Authority, right click on your Subordinate Certification Authority and click on Backup CA.

Backup Intermediate Certification Authority

A new wizard appear, click on Next.

Wizard appear

Check Private key and CA certificate option and Certificate database and certificate database log option. With Browse button, select Back up location.

Configure Backup option of the CA

Enter the desired password and click on Next.

Configure password

Click on Finish. Backup was done.

Backup was done

Backup Registry Key

Registry key must be exported. Open Registry Editor and access to CertSVC Key present in HKLM\SYSTEM\CurrentControlSet\Services\CertSvc.

Export Registry key

Right click on CertSvc and click on Export.

Export Registry key

Select the destination folder and enter the name of the Reg File.

Remove ADCS Roles

Before being able to configure the new server, it is first necessary to delete the role on the old server. From the Server Manager console, click on Manage then on Remove Roles and Features.

Remove Roles

Expand Active Directory Certificate Services then uncheck Certification Authority Web Enrollment.

Remove Certification Authority Web Enrollment

Click twice on Next and then proceed to delete the role. Click on Close then repat the same operations for Active Directory Certificate Services roles.

Uncheck Active Directory Certificate Services

When the roles has been deleted, copy the folder and file previously generated on the new server. The old server can be switched off.

Configure Intermediate PKI

Configure a new Subordinate server

The new Subordinate server can now be installed. From the Server Manager console, rename the new server so that it has the name of the old server.

Rename the server

The new Subordinate server can now be installed. From the Server Manager role, click on Add roles and features.

Add roles and features

Check Active Directory Certificate Services then click on Next.

Check Active Directory Certificate Services

On the Role Services Windows, check Certification Authority Web Enrollment then click on Next.

Select Certification authority web enrollment

Leave the IIS role services as default and proceed with the installation. A notification appear on Server Manager console. Click on Configure Active Directory Certificate Services.

Configure ADCS Role

Check Certification Authority and Certification Authority Web Enrollment Role sercice then click on Next.

Add two roles services
Add two roles services

Select Enterprise CA on Setup Type windows.

Select Enterprise CA

Select Subordinate CA then click on Next.

Select Subordinate CA

In any case, the new private key must not be created, otherwise all issued certificates will be invalid. Select Use existing private key and Select a certificate and use it’s associated private key. Click on Next.

Configure option to use existing private key

Click on Import to select the certificate previously backup ed.

Import the certificate

Click on Browse and select the certificate. Enter the password configured during the backup.

enter password and select certificate

Select the certificate and click on Next.

Select certificate previously generated

Leave the default paths in Certificate Database and proceed with the role configuration.

Configure ADCS role

Restore Root Certification Authority

From the Certification Authority, right click on the Subordinate Certificattion Authority and click on All Tasks / Restore CA.

Restore CA

Check Private key and CA Certificate then Certificate Database and certificate database log. With Browse button select the folder préviously generated during the backup.

Restore Backup

Enter the backup and click on Next.

Enter password for restore

Click on Finish. Backup has been restored. A windows appear, click on Yes to start the service.

Restart service

If you have this error message, you must copy the revocation list of the root server (crt and crl file) on the CertEnroll folder of the Subordinate CA.

Error message

On Root Server rename the crl and crt file and copy on CertEnroll folder in the Subordinate Server.mc

The name of the CRL File

On root CA

On Root CA

On Subordinate CA

On Subordinate CA

You can now start the service.

Service has been started

Right click on the reg file and click on Merge.

Merge the reg file

Click on Yes then on OK. Right click on Certificate Template then click on New / Certificate Template to issue.

Add template on console

Select the desired template then click on OK.

The server is now been migrated.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.