How to move a certification authority to another server

http://support.microsoft.com/kb/298138

This article describes how to move a certification authority (CA) to a different server.

Certification authorities (CAs) are the central component of the public key infrastructure (PKI) of an

organization. The CAs are configured to exist for many years or decades, during which time the hardware

that hosts the CA is probably upgraded.

Notes

• To move a CA from a server that is running Windows 2000 Server to a server that is

running Windows Server 2003, you must first upgrade the CA server that is running Windows

2000 Server to Windows Server 2003. Then you can follow the steps that are outlined in this

article.

• Make sure that the %Systemroot% of the target server matches the %Systemroot% of the

server from which the system state backup is taken.

You must change the path of the CA files when you install the CA server components so that

they match the location of the backup. For example, if you back up from the

D:\Winnt\System32\Certlog folder, you must restore the backup to the

D:\Winnt\System32\Certlog folder. You cannot restore the backup to the

C:\Winnt\System32\Certlog folder. After you restore the backup, you can move the CA database

files to the default location.

If you try to restore the backup, and the %Systemroot% of the backup and the target server do

not match, you may receive the following error message:

Restore of an incremental image cannot be performed before you perform restore from a full

image. The directory name is invalid. 0x8007010b (WIN32/HTTP:267)

Back to the top

Back up and restore the certification authority keys and database

Windows Server 2003

Important This section, method, or task contains steps that tell you how to modify the registry.

However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you

follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can
restore the registry if a problem occurs. For more information about how to back up and restore the

registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

1. Note the certificate templates that are configured in the Certificate Templates folder in the

Certification Authority snap-in. The Certificate Templates settings are stored in Active Directory.

They are not automatically backed up. You must manually configure the Certificate Templates

settings on the new CA to maintain the same set of templates.

Note The Certificate Templates folder exists only on an enterprise CA. Stand-alone CAs do not

use certificate templates. Therefore, this step does not apply to a stand-alone CA.

2. Use the Certification Authority snap-in to back up the CA database and private key. To do

this, follow these steps:

a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then

click Back up CA to start the Certification Authority Backup Wizard.

b. Click Next, and then click Private key and CA certificate.

c. Click Certificate database and certificate database log.

d. Use an empty folder as the backup location. Make sure that the backup folder can be

accessed by the new server.

e. Click Next. If the specified backup folder does not exist, the Certification Authority

Backup Wizard creates it.

f. Type and then confirm a password for the CA private key backup file.

g. Click Next, and then verify the backup settings. The following settings should be

displayed:

 Private Key and CA Certificate

 Issued Log and Pending Requests

h. Click Finish.

2. Save the registry settings for this CA. To do this, follow these steps:

a. Click Start, click Run, type regedit in the Open box, and then click OK.

b. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

c. Click Export.

d. Save the registry file in the CA backup folder that you defined in step 2d.
 2. Remove Certificate Services from the old server.

3. Rename the old server, or permanently disconnect it from the network.

4. Install Certificate Services on the new server. To do this, follow these steps.

Note The new server must have the same computer name as the old server.

a. In Control Panel, double-click Add or Remove Programs.

b. Click Add/Remove Windows Components, click Certificate Services in the

Windows Components Wizard, and then click Next.

c. In the CA Type dialog box, click the appropriate CA type.

d. Click Use custom settings to generate the key pair and CA certificate, and then

click Next.

e. Click Import, type the path of the .P12 file in the backup folder, type the password that

you chose in step 2f, and then click OK.

f. In the Public and Private Key Pair dialog box, verify that Use existing keys is

checked.

g. Click Next two times.

h. Accept the Certificate Database Settings default settings, click Next, and then click

Finish to complete the Certificate Services installation.

2. Stop the Certificate Services service.

3. Locate the registry file that you saved in step 3, and then double-click it to import the

registry settings. If the path that is shown in the registry export from the old CA differs from the

new path, you must adjust your registry export accordingly. By default, the new path is

C:\Windows in Windows Server 2003.

4. Use the Certification Authority snap-in to restore the CA database. To do this, follow these

steps:

a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then

click Restore CA.

The Certification Authority Restore Wizard starts.

b. Click Next, and then click Private key and CA certificate.

c. Click Certificate database and certificate database log.

d. Type the backup folder location, and then click Next.

e. Verify the backup settings. The Issued Log and Pending Requests settings should be

displayed.
 f. Click Finish, and then click Yes to restart Certificate Services when the CA database is

restored.

2. In the Certification Authority snap-in, manually add or remove certificate templates to

duplicate the Certificate Templates settings that you noted in step 1.

Windows 2000 Server

Important This section, method, or task contains steps that tell you how to modify the registry.

However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you

follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can

restore the registry if a problem occurs. For more information about how to back up and restore the

registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

1. Note the certificate templates that are configured in the Certificate Templates folder in the

Certification Authority snap-in. The Certificate Templates settings are stored in Active Directory.

They are not automatically backed up. You must manually configure the Certificate Templates

settings on the new CA to maintain the same set of templates.

Note The Certificate Templates folder exists only on an enterprise CA. Stand-alone CAs do not

use certificate templates. Therefore, this step does not apply to a stand-alone CA.

2. Use the Certification Authority snap-in to back up the CA database and private key. To do

this, follow these steps:

a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then

click Back up CA to start the Certification Authority Backup Wizard.

b. Click Next, and then click Private key and CA certificate.

c. Click Issued certificate log and pending certificate request queue.

d. Use an empty folder as the backup location. Make sure that the backup folder can be

accessed by the new server.

e. Click Next. If the specified backup folder does not exist, the Certification Authority

Backup Wizard creates it.

f. Type and then confirm a password for the CA private key backup file.

g. Click Next two times, and then verify the backup settings. The following settings should

be displayed:

 Private Key and CA Certificate

 Issued Log and Pending Requests

 h. Click Finish.

2. Save the registry settings for this CA. To do this, follow these steps:

a. Click Start, click Run, type regedit in the Open box, and then click OK.

b. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

c. Click Configuration , and then click Export Registry File on the Registry menu.

d. Save the registry file in the CA backup folder that you defined in step 2d.

2. Remove Certificate Services from the old server.

3. Rename the old server, or permanently disconnect it from the network.

4. Install Certificate Services on the new server. To do this, follow these steps.

Note The new server must have the same computer name as the old server.

a. In Control Panel, double-click Add/Remove Programs.

b. Click Add/Remove Windows Components, click Certificate Services in the

Windows Components Wizard, and then click Next.

c. In the Certification Authority Type dialog box, click the appropriate CA type.

d. Click Advanced Options, and then click Next.

e. In the Public and Private Key Pair dialog box, click Use existing keys, and then

click Import.

f. Type the path of the .P12 file in the backup folder, type the password that you chose in

step 2f, and then click OK.

g. Click Next, type a CA description if appropriate, and then click Next.

h. Accept the Data Storage Location default settings, click Next, and then click Finish to

complete the Certificate Services installation.

2. Stop the Certificate Services service.

3. Locate the registry file that you saved in step 3, and then double-click it to import the

registry settings.

4. Use the Certification Authority snap-in to restore the CA database. To do this, follow these

steps:

a. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA.

The Certification Authority Restore Wizard starts.

 b. Click Next, and then click Issued certificate log and pending certificate request

queue.

c. Type the backup folder location, and then click Next.

d. Verify the backup settings. The following settings should be displayed:

 Issued Log

 Pending Requests

e. Click Finish, and then click Yes to restart Certificate Services when the CA database is restored.

2. In the Certification Authority snap-in, manually add or remove certificate templates to

duplicate the Certificate Templates settings that you noted in step 1.

Back to the top

MORE INFORMATION

For more information about upgrade and migration scenarios for Windows Server 2003 and Windows Server

2008, see the "Active Directory Certificate Services Upgrade and Migration Guide" white paper. To download

the white paper, visit the following Microsoft Download Center Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c70bd7cd-9f03-484b-8c4b-

279bc29a3413&displaylang=en

Back to the top

APPLIES TO

• Microsoft Windows Server 2003, Enterprise x64 Edition

• Microsoft Windows Server 2003, Standard x64 Edition

• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

• Microsoft Windows Server 2003, Standard Edition (32-bit x86)

• Microsoft Windows 2000 Advanced Server

• Microsoft Windows 2000 Server