How to migrate Windows Server 2008 Certificate Authority from x86 to x64

Looking to upgrade our root CA from a 32-bit server to a 64-bit server.
Multiple documentation sources state that it is not possible to Backup a 32-bit CA and restore it to x64, however none that I have seen show how to actually complete a CA migration from a 32-bit to a 64-bit Windows Server.  Is there a method?  If so, what is the preferred methodor where can I find documentation?  I can't believe that a migration path wouldn't exist.

Thanks.
LVL 2
cj52973Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOTCCommented:
Check these out...they could help:

This is mainly for Server 2003 but the concepts are pretty much the same...

How to move a certification authority to another server:
http://support.microsoft.com/kb/298138

This is more for Server 2008...

Move a CA to a Different Computer
http://technet.microsoft.com/en-us/library/cc755153%28WS.10%29.aspx
0
ParanormasticCryptographic EngineerCommented:
You would want to run parallel PKIs until your migration is complete to the new CA.  Install a new root CA and subordinate CA, deploy the new root via GPO, etc., and start replacing all the certs you have issued from the old PKI while leaving it online.  

When replacing the certs, it is easiest to start with the autoenrollment certs first - just issue the autoenroll templates to the new CA and delete them from the old CA from the Certification Authorities MMC under the Certificate Templates folder (ok to delete here - do not delete from Certificate Templates MMC).  Note that LDAP servers (i.e. your DC) will need to be rebooted afterwards to start using the new cert instead of the old cached cert.  You can manually check autoenrollment events using the command 'certutil -pulse' from the requesting box.

You can check your cert database on your old CA and sort by template name, then right click the issued certificates folder and export to .csv file that you can access in Excel.  If you have a larger database, you may need to filter by certificate expiration date > time right now and see if that helps, else add a second line for expiration date < 1 month/year/whatever ahead and make multiple .csv files.

Once you are confident you have replaced them all, do not issue the next CRL from the old root until after the existing one has expired, then give it a week.  If there was anything that you missed, that will make most certificate types stand out like a sore thumb.  The primary exception to this would be if you use EFS - that does not do any revocation checking by design.  Afterwards, you can create an extended CRL lifetime to match the lifetime of the existing CA certificate(s) and publish those, then make a final archival backup copy and take it offline.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FOTCCommented:
oh...and you're correct...you can't upgrade from 32 bit to 64 bit. You have to do a reinstall. The underlying architecture is way too different.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ParanormasticCryptographic EngineerCommented:
FOTC - from your first link:
" there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database."

cj52973 already made note of that in the original question.
0
FOTCCommented:
im well aware of that. i was just showing M$ documentation.
0
cj52973Author Commented:
Yep, that's what I thought - I was just wishing I was wrong.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.