My Certificate Server Died. How can I get the new server to accept the certs form the old server

Posted on 2009-04-24
Last Modified: 2012-05-06
My Certificate Server Died. How can I get the new server to accept the certs form the old server. Both servers were/are running Windows Server 2003.
Question by:john1p47
    LVL 31

    Accepted Solution

    The hostname and CAName need to be the same as the old CA.  You would then need to import the CA database and CA private key.  Hopefully these were backed up at some point.

    Alternatively, if you are able to do a full restore including system state that will contain the necessary information.  This comes with the normal caveats like any other server when changing hardware for the restoration - if the hardware is similar to the old server it shouldn't be much of an issue regarding drivers, etc.

    How to move a CA to another server:

    To backup cert services, CA database, and CA private key:
    certutil -backupDB d:\CAdb KeepLog
    certutil -backupKey a:\

    Note: your private key should not be stored in exported format on any network connected server.  Save it to a floppy, thumb drive, etc. and keep it physically locked up in an anti-static bag.  If storing on a floppy, create a fresh copy every couple of years as floppies deteriorate - usb flash drives are preferred.

    To recover, if you have these files:
    certutil -restoreKey %path%
    certutil -restoreDB %path%

    Author Closing Comment


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
    The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now