Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to migrate Windows Server 2008 Certificate Authority from x86 to x64

Posted on 2009-07-15
6
2,100 Views
Last Modified: 2013-11-29
Looking to upgrade our root CA from a 32-bit server to a 64-bit server.
Multiple documentation sources state that it is not possible to Backup a 32-bit CA and restore it to x64, however none that I have seen show how to actually complete a CA migration from a 32-bit to a 64-bit Windows Server.  Is there a method?  If so, what is the preferred methodor where can I find documentation?  I can't believe that a migration path wouldn't exist.

Thanks.
0
Comment
Question by:cj52973
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:FOTC
ID: 24859670
Check these out...they could help:

This is mainly for Server 2003 but the concepts are pretty much the same...

How to move a certification authority to another server:
http://support.microsoft.com/kb/298138

This is more for Server 2008...

Move a CA to a Different Computer
http://technet.microsoft.com/en-us/library/cc755153%28WS.10%29.aspx
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24859675
You would want to run parallel PKIs until your migration is complete to the new CA.  Install a new root CA and subordinate CA, deploy the new root via GPO, etc., and start replacing all the certs you have issued from the old PKI while leaving it online.  

When replacing the certs, it is easiest to start with the autoenrollment certs first - just issue the autoenroll templates to the new CA and delete them from the old CA from the Certification Authorities MMC under the Certificate Templates folder (ok to delete here - do not delete from Certificate Templates MMC).  Note that LDAP servers (i.e. your DC) will need to be rebooted afterwards to start using the new cert instead of the old cached cert.  You can manually check autoenrollment events using the command 'certutil -pulse' from the requesting box.

You can check your cert database on your old CA and sort by template name, then right click the issued certificates folder and export to .csv file that you can access in Excel.  If you have a larger database, you may need to filter by certificate expiration date > time right now and see if that helps, else add a second line for expiration date < 1 month/year/whatever ahead and make multiple .csv files.

Once you are confident you have replaced them all, do not issue the next CRL from the old root until after the existing one has expired, then give it a week.  If there was anything that you missed, that will make most certificate types stand out like a sore thumb.  The primary exception to this would be if you use EFS - that does not do any revocation checking by design.  Afterwards, you can create an extended CRL lifetime to match the lifetime of the existing CA certificate(s) and publish those, then make a final archival backup copy and take it offline.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0
 
LVL 7

Expert Comment

by:FOTC
ID: 24859685
oh...and you're correct...you can't upgrade from 32 bit to 64 bit. You have to do a reinstall. The underlying architecture is way too different.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24859725
FOTC - from your first link:
" there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database."

cj52973 already made note of that in the original question.
0
 
LVL 7

Expert Comment

by:FOTC
ID: 24859930
im well aware of that. i was just showing M$ documentation.
0
 
LVL 2

Author Closing Comment

by:cj52973
ID: 31603724
Yep, that's what I thought - I was just wishing I was wrong.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question