Virtualize Existing Subordinate CA server

We are looking to move our existing Subordinate CA server to a VMware server.

With VMware I can do a P to V without any issues.

My Question is will making this Existing Server Virtual effect the Certificate Authority Roll?

Or should I just demote this Subordinate CA server and create a new one in VMware?


Anthony GraczykIT ManagerAsked:
Who is Participating?
ParanormasticCryptographic EngineerCommented:
hardware is not any more an issue than any other windows installation.  For the CA, the critical thing that must remain unchanged is the hostname of the server, the CAName, the certificate database and the private key.  

The VM scenario creates a hardware agnostic environment that is easy to back up completely, and especially in the case of the root CA, to take offline, lock up, and bring back online very easily and with nominal storage space.  Shouldn't matter much if it is VMware, MS virtual server, etc. etc. or what replication process you are using for disaster recovery, performance, etc.

The only reason a CA would need to be tied to specific hardware is if you run a higher security implementation where an HSM is used to protect the private key.  Since the cost of this (generally a couple thousand dollars) is usually prohibitive for most smaller organizations, this is not often a consideration.  However, some smaller companies will do a smaller scale variation and use a smart card or USB smart token to house the CA's private key - since these are fairly slow this is generally not a good idea for larger organizations (where the HSM is much faster and secure).  
ParanormasticCryptographic EngineerCommented:
Depends if you are planning to rename the server during the move or not.  If you are going to rename it - it is better to create a new one.  If you can keep the existing name, then you can just move the database and private key over and be set.  Here are a couple guides for whichever way you choose to go:

How to decom a CA server properly from AD:
How to move a CA to another server:
Anthony GraczykIT ManagerAuthor Commented:
So do you know if the CA server is tied to the physical hardware? eg when the CA is initially created it uses the hardware to create its identity?

If not,I can use VMware Cold Image software to create the guest image offline.

I do see your question is specificly relating to the CA "certificate authority" function of this server. This has been answered I feel.
To elaborate a little futher. You can perform a P2V migration of your server. As it's a CA I agree with mranth that a cold clone would be the best P2V method.
If we listen to the VMware people they will recommend where ever possible performance will be optimised by building a template server in your VMWare environment, deploy this template as a new server rather than P2Ving.  (best practice stuff)
I agree with the VMWare egg heads.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.