Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
http://support.microsoft.com/kb/298138
This article describes how to move a certification authority (CA) to a different server.
Certification authorities (CAs) are the central component of the public key infrastructure (PKI) of an
organization. The CAs are configured to exist for many years or decades, during which time the hardware
Notes
• To move a CA from a server that is running Windows 2000 Server to a server that is
running Windows Server 2003, you must first upgrade the CA server that is running Windows
2000 Server to Windows Server 2003. Then you can follow the steps that are outlined in this
article.
• Make sure that the %Systemroot% of the target server matches the %Systemroot% of the
You must change the path of the CA files when you install the CA server components so that
they match the location of the backup. For example, if you back up from the
C:\Winnt\System32\Certlog folder. After you restore the backup, you can move the CA database
If you try to restore the backup, and the %Systemroot% of the backup and the target server do
Restore of an incremental image cannot be performed before you perform restore from a full
Important This section, method, or task contains steps that tell you how to modify the registry.
However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you
follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can
restore the registry if a problem occurs. For more information about how to back up and restore the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
1. Note the certificate templates that are configured in the Certificate Templates folder in the
Certification Authority snap-in. The Certificate Templates settings are stored in Active Directory.
They are not automatically backed up. You must manually configure the Certificate Templates
Note The Certificate Templates folder exists only on an enterprise CA. Stand-alone CAs do not
use certificate templates. Therefore, this step does not apply to a stand-alone CA.
2. Use the Certification Authority snap-in to back up the CA database and private key. To do
a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then
d. Use an empty folder as the backup location. Make sure that the backup folder can be
e. Click Next. If the specified backup folder does not exist, the Certification Authority
f. Type and then confirm a password for the CA private key backup file.
g. Click Next, and then verify the backup settings. The following settings should be
displayed:
h. Click Finish.
2. Save the registry settings for this CA. To do this, follow these steps:
a. Click Start, click Run, type regedit in the Open box, and then click OK.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
c. Click Export.
d. Save the registry file in the CA backup folder that you defined in step 2d.
2. Remove Certificate Services from the old server.
4. Install Certificate Services on the new server. To do this, follow these steps.
Note The new server must have the same computer name as the old server.
d. Click Use custom settings to generate the key pair and CA certificate, and then
click Next.
e. Click Import, type the path of the .P12 file in the backup folder, type the password that
f. In the Public and Private Key Pair dialog box, verify that Use existing keys is
checked.
h. Accept the Certificate Database Settings default settings, click Next, and then click
3. Locate the registry file that you saved in step 3, and then double-click it to import the
registry settings. If the path that is shown in the registry export from the old CA differs from the
new path, you must adjust your registry export accordingly. By default, the new path is
4. Use the Certification Authority snap-in to restore the CA database. To do this, follow these
steps:
a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then
e. Verify the backup settings. The Issued Log and Pending Requests settings should be
displayed.
f. Click Finish, and then click Yes to restart Certificate Services when the CA database is
restored.
Important This section, method, or task contains steps that tell you how to modify the registry.
However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you
follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can
restore the registry if a problem occurs. For more information about how to back up and restore the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
1. Note the certificate templates that are configured in the Certificate Templates folder in the
Certification Authority snap-in. The Certificate Templates settings are stored in Active Directory.
They are not automatically backed up. You must manually configure the Certificate Templates
Note The Certificate Templates folder exists only on an enterprise CA. Stand-alone CAs do not
use certificate templates. Therefore, this step does not apply to a stand-alone CA.
2. Use the Certification Authority snap-in to back up the CA database and private key. To do
a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then
d. Use an empty folder as the backup location. Make sure that the backup folder can be
e. Click Next. If the specified backup folder does not exist, the Certification Authority
f. Type and then confirm a password for the CA private key backup file.
g. Click Next two times, and then verify the backup settings. The following settings should
be displayed:
2. Save the registry settings for this CA. To do this, follow these steps:
a. Click Start, click Run, type regedit in the Open box, and then click OK.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
c. Click Configuration , and then click Export Registry File on the Registry menu.
d. Save the registry file in the CA backup folder that you defined in step 2d.
4. Install Certificate Services on the new server. To do this, follow these steps.
Note The new server must have the same computer name as the old server.
c. In the Certification Authority Type dialog box, click the appropriate CA type.
e. In the Public and Private Key Pair dialog box, click Use existing keys, and then
click Import.
f. Type the path of the .P12 file in the backup folder, type the password that you chose in
h. Accept the Data Storage Location default settings, click Next, and then click Finish to
3. Locate the registry file that you saved in step 3, and then double-click it to import the
registry settings.
4. Use the Certification Authority snap-in to restore the CA database. To do this, follow these
steps:
a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA.
queue.
Issued Log
Pending Requests
e. Click Finish, and then click Yes to restart Certificate Services when the CA database is restored.
MORE INFORMATION
For more information about upgrade and migration scenarios for Windows Server 2003 and Windows Server
2008, see the "Active Directory Certificate Services Upgrade and Migration Guide" white paper. To download
the white paper, visit the following Microsoft Download Center Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-
279bc29a3413&displaylang=en
APPLIES TO