In this blog we’re going to learn how to migrate a certificate authority server, A Microsoft certificate authority server to be specific. But before we look into how to migrate certificate authority from one server to another. Let’s first see what is a certificate authority server and why do we need it?

A certificate authority can be considered as a passport authority which helps in authenticating the integrity of a device to be able to communicate with other devices in a network. Let’s say if you were to visit a website but how can you be sure that you have actually visited the correct website and it is not something which a hacker created to look just like the website owned by Well, that is the job of a certificate authority, it helps in authenticating the identity and credibility of the devices to establish communication and to maintain the identity trust during an ongoing communication.

A Microsoft Certification Authority server is a part of the Windows operating system. It is a role that can be enabled on a Microsoft Windows Server. Just like other certificate authority servers, it issues the digitally signed certificate and vouches for the identity of that device. A certificate authority server can also manage, renew, and revoke certificates. Following are the key component which comes into play in an environment being authenticated via certificate authority server.

  • Digital Certificate It is used to prove the identity of the device. An example could be SSL / TLS certificate.
  • Certificate Authority – It is an entity that issues, revoke, and renew certificates in an environment.
  • Digital Signature – It is used to verify that if the SSL certificate is issued by a trusted authority.
  • Public Key – It is used to encrypt the data when a user/device sends data.
  • Private Key – It is used by the device to decrypt the data when a user/device receives data.

To migrate certification authority roles from one server to another. Navigate to the source server, open the Certificate Services management console. Right-click on the source server and select All Tasks. Select Back up CA on the subsequent menu and shown in the image below.

After you click on the Backup CA option, the backup wizard shall open. The backup wizard is very simple. Ensure to select both the checkboxes and click Next. Afterward, you will be prompted to set a password for this backup. You would need to make a note of it as you would need it during the time of restoration of the certificate authority role on the new server. After setting the password, click Next and then Finish.

Now you would need to take a backup of the registry key which contains the information of the CA server. Open the Run box and type Regedit to open the registry key information. Navigate to the following path:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > (CA_NAME)

Once you locate your CA server on this path, right-click the CA server and select export to save the registry key.

Now head over to the Server Manager and click the Manage option on the top right side and select Remove Roles and Features option and select Active Directory Certification Authority in server role in remove roles and features wizard. Although we have taken the backup of the CA role and exported the private registry key, we still highly recommend that you take backup of the virtual machine using backup software or if you do not have a backup software then ensure to have at least one snapshot of the VM before removing the roles.

Please note that after removing the certification authority role, you would have to restart the server for the changes to take effect. So, plan your activity accordingly to ensure minimum disruption in services because of the restart.

Now head over to the new server. Open Server Manager > Manage > Add Role and Features. Add Active Directory Certification Authority role on this server. After adding the role, you would see a notification on the Flag icon on the Server Manager. Click Configure Active Directory Certificate Services option to configure the CA server.

In the setup wizard, you will be asked to specify the type of private key. Select the option which says Use existing private key > Click Select a Certificate and use its associated private key > Next > click Import and locate the backup folder where you have the certificate. The extension of the file should be .p7b > Enter the password (which you set up during the backup of the CA.

After configuring the CA role on the new server, stop the certificate service by running the following command “net stop service”.

Launch the Certificate Services Management Console on the new server and right-click the CA name > All Tasks > Restore CA. on the restore wizard, locate the backup you had taken earlier from the CA server and enter the password. The wizard will ask you to start the certificate service. Start the certificate service and the certificates should be visible in your Certificate Services Management Console.

To sum it up these are the high-level steps to migrate the certification authority role from one Windows server to another. If you’re looking for Planning, Designing, Implementation, or PoC professional services for your data center to build a resilient and secure network, reach us at [email protected] or give us a call at +91 9773973971.

Sumit Yadav
Data Center Consulting Engineer

Leave a comment