Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server

Often a certification authority lives significantly longer than the server on which it was installed. Reasons for migrating the certification authority to a new server, i.e. while retaining the data, can be:

Defect or end of life of the server hardware
End of life of the server operating system
Change of the server name

The procedure for migration is described in detail below.

Basics

The migration of a certification authority consists of the following steps:

Preparation of the new server
Installation of the certification authority certificates (including private key) on the new server
Put the certification authority on the old server into maintenance mode
Publish new certificate revocation lists
Emergency signing of the newly published certificate revocation lists
Create a backup of the certification authority on the old server
Decommission the old server
Restore the previously created backup of the certification authority to the new server
Perform function test
Take the certification authority out of maintenance mode

The individual steps are described in more detail later in the article.

Requirements

If the certificate authority is designed prudently, there is no binding to the computer name of the server on which it was installed. Thus, the new server can be given a new computer name without any problems. This variant also has the advantage that the new server can be prepared in advance, which significantly shortens the window of time when the certification authority is not available.

However, even if the certificate authority is bound to the computer name by, for example, an AIA or CDP path that points to the server name, the server name may be changed.

Trip hazards

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Installation of the Certification Authority role requires Enterprise Administrator privileges or delegated privileges to install an Enterprise Certification Authority.
After the certification authority role has been installed on the new server, it is directly accessible again for applicants and can actively issue certificates, since the list of certificate templates published on it is read from the Active Directory. Therefore, it is essential that after the installation of the certification authority role on the new server directly again the Steps to put this into maintenance mode to be executed.
In some circumstances, it may no longer be possible to publish your own certificate templates on the migrated certificate authority. What must be done in this case is described in the article "After the migration of the certification authority to a new server, own certificate templates can no longer be published" described.
If the maintenance mode and the creation of the backup were not performed in the correct order, the phenomenon may occur that users cannot request certificates from the new certificate authority because an Active Directory object was not updated correctly. How to fix this error is described in the article "Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."" described.
In some cases, other services (e.g. DirectAccess, IpSec, Network Policy Server (NPS)) the certification authority certificate instead of its own server certificate if these roles are installed together with the certification authority on the same source server.

Preparation of the new server

The preparation of the server includes, among others:

Creating the virtual machine or commissioning the server hardware
Installing the operating system
Adding the new server to the domain
Installation of operating system updates and management software
Security hardening of the operating system installation

These steps are not described in detail here, as they are generally valid.

Installation of the certification authority certificates (including private key) on the new server

This step is part of the preparation of the server and can be very extensive under certain circumstances, for example if hardware security modules are used. In order not to lose any time during the migration of the certification authority, this step is therefore carried out in advance.

A description of the installation of the certification authority certificates can be found in the following articles:

Put the certification authority on the old server into maintenance mode

To ensure that the certification authority is in a consistent state during migration, it must be prevented from continuing to accept certificate requests and issue certificates to requesters. For this purpose, the certification authority is put into maintenance mode.

The procedure to put a certification authority into maintenance mode is described in the article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode„ described.

Publish new certificate revocation lists

In the event that the migration takes longer than planned, it is essential to generate up-to-date blacklists again on the legacy system.

In general, the blacklist validities should be checked and, if necessary, increased before migration. The procedure for configuring the blacklist validities is described in the article "Configuring Certificate Revocation List (CDP) Distribution Points and Authority Information Access (AIA) Extension of a Certification Authority" described.

The procedure for publishing a certificate revocation list is described in the article "Create and publish a certificate revocation list" described.

Emergency signing of the newly published certificate revocation lists

Emergency signing of revocation lists involves re-signing an existing certificate revocation list using the associated private key directly with an extended expiration date. If something goes wrong during the migration, the revocation list operation can continue until the problem could be solved.

A detailed description of how to perform emergency signing is available in the article "Perform emergency signing of certificate revocation lists" to find.

Create a backup of the certification authority on the old server

A detailed description of the individual steps can be found in the article "Create a backup of a certification authority" to find.

Decommission the old server

The old server is now shut down. The certification authority role is not uninstalled beforehand, since part of the configuration is located in Active Directory and can thus be taken over again directly by the new server.

Restore the previously created backup of the certification authority to the new server

Restoring the certificate authority from backup consists of the following steps.

Install the Certification Authority role on the new server
Adjusting the registry backup from the certification authority backup and importing the settings
Importing the certification authority database from the backup

A detailed description of the individual steps can be found in the article "Restoring a certification authority from backup" to find.

When switching from an older Windows Server version to Windows Server 2012 or newer, the procedure for creating the certificate serial number has changed (see the article "How is the serial number of a certificate formed?"). In this case, you should make a conscious decision whether to accept the old potentially unsafe value or switch to the new default setting.

Customize connected services

If the new server is accessible under a different hostname, the services associated with the certification authority, if any, must be modified so that they connect to the new server. This includes:

Certification Authority Web Enrollment (CAWE). The role must be reinstalled. See article "Installing Certification Authority Web Enrollment (CAWE)„.
Online Responder (OCSP). The revocation configuration must be recreated.
Network Device Enrollment Service (NDES). See article "Moving Network Device Enrollment Service (NDES) to another certification authority„.
Certificate Enrollment Web Service (CES). See article "Customize the Certificate Enrollment Web Service (CES) after migrating a certificate authority to a new server„.
Provided that on the source system a Network Policy Server (NPS) was installed, it may have been using the certificate authority certificate, so a dedicated server certificate may now be required and the access policies will need to be adjusted to use it.

Perform function test

A detailed description of the individual sub-steps can be found in the article "Perform functional test for a Certification Authority" to find.

Take the certification authority out of maintenance mode

If the functional test was successful, the certification authority can be released again for issuing certificates to the applicants.

For this purpose, the certification authority is taken out of maintenance mode. A description of how this is implemented can be found in the article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode" described.