Virtualize Existing Subordinate CA server

Posted on 2009-04-20
Medium Priority
Last Modified: 2012-05-06
We are looking to move our existing Subordinate CA server to a VMware server.

With VMware I can do a P to V without any issues.

My Question is will making this Existing Server Virtual effect the Certificate Authority Roll?

Or should I just demote this Subordinate CA server and create a new one in VMware?


Question by:Anthony Graczyk
  • 2
LVL 31

Assisted Solution

Paranormastic earned 2000 total points
ID: 24184697
Depends if you are planning to rename the server during the move or not.  If you are going to rename it - it is better to create a new one.  If you can keep the existing name, then you can just move the database and private key over and be set.  Here are a couple guides for whichever way you choose to go:

How to decom a CA server properly from AD:
How to move a CA to another server:

Author Comment

by:Anthony Graczyk
ID: 24185168
So do you know if the CA server is tied to the physical hardware? eg when the CA is initially created it uses the hardware to create its identity?

If not,I can use VMware Cold Image software to create the guest image offline.


Expert Comment

ID: 24185953
I do see your question is specificly relating to the CA "certificate authority" function of this server. This has been answered I feel.
To elaborate a little futher. You can perform a P2V migration of your server. As it's a CA I agree with mranth that a cold clone would be the best P2V method.
If we listen to the VMware people they will recommend where ever possible performance will be optimised by building a template server in your VMWare environment, deploy this template as a new server rather than P2Ving.  (best practice stuff)
I agree with the VMWare egg heads.
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 24216762
hardware is not any more an issue than any other windows installation.  For the CA, the critical thing that must remain unchanged is the hostname of the server, the CAName, the certificate database and the private key.  

The VM scenario creates a hardware agnostic environment that is easy to back up completely, and especially in the case of the root CA, to take offline, lock up, and bring back online very easily and with nominal storage space.  Shouldn't matter much if it is VMware, MS virtual server, etc. etc. or what replication process you are using for disaster recovery, performance, etc.

The only reason a CA would need to be tied to specific hardware is if you run a higher security implementation where an HSM is used to protect the private key.  Since the cost of this (generally a couple thousand dollars) is usually prohibitive for most smaller organizations, this is not often a consideration.  However, some smaller companies will do a smaller scale variation and use a smart card or USB smart token to house the CA's private key - since these are fairly slow this is generally not a good idea for larger organizations (where the HSM is much faster and secure).  

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This article will explain How to fix Broken backup chain in Veeam Backup & Replication.
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question