Virtualize Existing Subordinate CA server

Posted on 2009-04-20
Last Modified: 2012-05-06
We are looking to move our existing Subordinate CA server to a VMware server.

With VMware I can do a P to V without any issues.

My Question is will making this Existing Server Virtual effect the Certificate Authority Roll?

Or should I just demote this Subordinate CA server and create a new one in VMware?


Question by:mranth
    LVL 31

    Assisted Solution

    Depends if you are planning to rename the server during the move or not.  If you are going to rename it - it is better to create a new one.  If you can keep the existing name, then you can just move the database and private key over and be set.  Here are a couple guides for whichever way you choose to go:

    How to decom a CA server properly from AD:
    How to move a CA to another server:

    Author Comment

    So do you know if the CA server is tied to the physical hardware? eg when the CA is initially created it uses the hardware to create its identity?

    If not,I can use VMware Cold Image software to create the guest image offline.

    LVL 8

    Expert Comment

    I do see your question is specificly relating to the CA "certificate authority" function of this server. This has been answered I feel.
    To elaborate a little futher. You can perform a P2V migration of your server. As it's a CA I agree with mranth that a cold clone would be the best P2V method.
    If we listen to the VMware people they will recommend where ever possible performance will be optimised by building a template server in your VMWare environment, deploy this template as a new server rather than P2Ving.  (best practice stuff)
    I agree with the VMWare egg heads.
    LVL 31

    Accepted Solution

    hardware is not any more an issue than any other windows installation.  For the CA, the critical thing that must remain unchanged is the hostname of the server, the CAName, the certificate database and the private key.  

    The VM scenario creates a hardware agnostic environment that is easy to back up completely, and especially in the case of the root CA, to take offline, lock up, and bring back online very easily and with nominal storage space.  Shouldn't matter much if it is VMware, MS virtual server, etc. etc. or what replication process you are using for disaster recovery, performance, etc.

    The only reason a CA would need to be tied to specific hardware is if you run a higher security implementation where an HSM is used to protect the private key.  Since the cost of this (generally a couple thousand dollars) is usually prohibitive for most smaller organizations, this is not often a consideration.  However, some smaller companies will do a smaller scale variation and use a smart card or USB smart token to house the CA's private key - since these are fairly slow this is generally not a good idea for larger organizations (where the HSM is much faster and secure).  

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Lets start to have a small explanation what is VAAI(vStorage API for Array Integration ) and what are the benefits using it. VAAI is an API framework in VMware that enable some Storage tasks. It first presented in ESXi 4.1, but only after 5.x sup…
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now