In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Support for Windows Server 2008 SP2 and Windows Server 2008 R2 expires on January 14, 2020. (see article "End of product support by the manufacturer (Microsoft)") If any problems occur during the migration, there is usually no support available from Microsoft.

Instead of an in-place upgrade, it is strongly recommended to migrate the certificate authority to another server with a current operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.

It is not possible to upgrade from a 32-bit installation of Windows Server 2008 to a newer version of Windows, as these are now only released as 64-bit versions. The only way to upgrade such a certificate authority is to migrate to a new server with the latest operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.

Downgrading a Windows edition, e.g. from Windows Server Datacenter to Windows Server Standard, is not supported.

Preparatory work

• Ensure that the Zeil hardware (physical or virtual) supports the installation of the new operating system.
• Provision of the license key for the new operating system. During the upgrade, the license key for the target operating system is required.
• Providing the installation disc of the new operating system
• Ensure physical access to the server or virtual machine configuration and console.
• Install all Windows updates for the current operating system.
• Putting the certification authority into maintenance mode. See article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode„.
• Publish a blacklist. See article "Create and publish a certificate revocation list„.
• Performing an emergency blacklist signing. See article "Perform emergency signing of certificate revocation lists„.
• Create a current backup of the Certification Authority. See article "Create a backup of a certification authority„.

Implementation of the upgrade

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

After the data medium for the new operating system has been inserted, the installation can be started.

Usually, server systems do not have an Internet connection anyway, so the option to download updates can be deselected here. However, please note that in this case the server will start up again without security updates. This will result in the remote desktop connection from a current client no longer working, since the update for the security vulnerability CVE-2018-0866 has not yet been installed.

In the next dialog the license conditions are accepted in order to continue.

In the next dialog, it is essential to select the "Upgrade" option so that the certification authority installation is retained. If only the option "Custom (advanced)" can be selected here, either the operating system language or the operating system edition does not match.

A compatibility report is then displayed. For a certification authority, there should be no peculiarities here, so that you can continue.

This is followed by the installation of the new operating system. The server will reboot several times before it can be used again with the new operating system.

Problem solving

Remote desktop connection no longer possible after in-place upgrade

Most likely, remote desktop connection to the server will not be possible after the in-place upgrade. For the reason and solution see article "Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system„.

Rework

• Activate Windows, if required. After the upgrade, the server may still need to be connected to a KMS server, or the operating system may need to be activated.
• Install current Windows updates. The server starts without security updates, so they must be installed immediately.
• If you have upgraded from a certificate authority that was running on Windows Server 2008 R2 or older, you may want to adjust the serial number generation for issued certificates to the new standard. For more information, see the article "How is the serial number of a certificate formed?„.
• Perform functional test for the Certification Authority. See article "Perform functional test for a Certification Authority„.
• Create current backup. See article "Create a backup of a certification authority„.

Related links:

• Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server
• In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012
• In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2
• In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016

External sources

• Windows Server 2012 upgrade may fail with error 0x000000C4 (Microsoft)
• CredSSP updates for CVE-2018-0886 (Microsoft)