Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2222
  • Last Modified:

How to migrate Windows Server 2008 Certificate Authority from x86 to x64

Looking to upgrade our root CA from a 32-bit server to a 64-bit server.
Multiple documentation sources state that it is not possible to Backup a 32-bit CA and restore it to x64, however none that I have seen show how to actually complete a CA migration from a 32-bit to a 64-bit Windows Server.  Is there a method?  If so, what is the preferred methodor where can I find documentation?  I can't believe that a migration path wouldn't exist.

Thanks.
0
cj52973
Asked:
cj52973
  • 3
  • 2
1 Solution
 
FOTCCommented:
Check these out...they could help:

This is mainly for Server 2003 but the concepts are pretty much the same...

How to move a certification authority to another server:
http://support.microsoft.com/kb/298138

This is more for Server 2008...

Move a CA to a Different Computer
http://technet.microsoft.com/en-us/library/cc755153%28WS.10%29.aspx
0
 
ParanormasticCryptographic EngineerCommented:
You would want to run parallel PKIs until your migration is complete to the new CA.  Install a new root CA and subordinate CA, deploy the new root via GPO, etc., and start replacing all the certs you have issued from the old PKI while leaving it online.  

When replacing the certs, it is easiest to start with the autoenrollment certs first - just issue the autoenroll templates to the new CA and delete them from the old CA from the Certification Authorities MMC under the Certificate Templates folder (ok to delete here - do not delete from Certificate Templates MMC).  Note that LDAP servers (i.e. your DC) will need to be rebooted afterwards to start using the new cert instead of the old cached cert.  You can manually check autoenrollment events using the command 'certutil -pulse' from the requesting box.

You can check your cert database on your old CA and sort by template name, then right click the issued certificates folder and export to .csv file that you can access in Excel.  If you have a larger database, you may need to filter by certificate expiration date > time right now and see if that helps, else add a second line for expiration date < 1 month/year/whatever ahead and make multiple .csv files.

Once you are confident you have replaced them all, do not issue the next CRL from the old root until after the existing one has expired, then give it a week.  If there was anything that you missed, that will make most certificate types stand out like a sore thumb.  The primary exception to this would be if you use EFS - that does not do any revocation checking by design.  Afterwards, you can create an extended CRL lifetime to match the lifetime of the existing CA certificate(s) and publish those, then make a final archival backup copy and take it offline.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250
0
 
FOTCCommented:
oh...and you're correct...you can't upgrade from 32 bit to 64 bit. You have to do a reinstall. The underlying architecture is way too different.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
ParanormasticCryptographic EngineerCommented:
FOTC - from your first link:
" there is no upgrade path from a 32-bit version of Windows Server 2003 to a 64-bit version. Therefore, you cannot move an existing 32-bit database to a 64-bit database."

cj52973 already made note of that in the original question.
0
 
FOTCCommented:
im well aware of that. i was just showing M$ documentation.
0
 
cj52973Author Commented:
Yep, that's what I thought - I was just wishing I was wrong.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now