2000 to 2008 R2 Certificate Authority Migration - Needs an CA Expert

inf02 = 2000 CA
inf03 = 2008 R2 CA


I have a 2008 R2 AD at that level.  I understand that there is no migration path from 2000 to 2008 R2 because it would be a 32 to 64 bit change.  A 2008 R2 CA has been installed along side of a 2000 CA.  The goal is to direct new clients to the new 2008 R2 CA through manual and autoentrollment, and then decommision the 2000 CA.  

On inf03 in Server Manager\AD Certificate Services\Enterprise PKI I see inf02 (v3.0) and the new CA is listed as inf03 (v0.0).  In AD Sites and Services\Services\Public Key Services, I see both CAs listed under AIA and CDP.  My certificate templates appear to show updated certificate template.  Certutil.exe -dump shows a certificate for both CAs when run from either the 2000 or 2008 R2 CA command prompt.

Before try to move this forward and create an enrollement policy, I wanted to see if there is a CA Expert that has experience with this situation.


Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
If your root was still on 2000 then its probably getting about time to rekey anyways, which would mean a new root deployment regardless.  Upgrading a CA twice is just a lot of work, and although 32 to 64 bit is actually possible (contrary to much early mis-documentation), my recommendation is to start clean and do a gentle migration to the new CA rather than risk everything by upgrading the existing box and migrating the hardware.


Get your new CA up and running, create a test template and verify that everything is working right for autoenrollment, manual enrollment, etc. Once you feel comfortable, issue an existing template over to the new CA and then delete it from the old CA (read: delete from certsrv.msc - certificate templates... do not delete from certificate templates MMC certtmpl.msc).  If you have a lot of clients, you should see results automatically, if not then you can use the templates mmc to right-click the template and re-enroll all certificate holders if you want to force it.

When you're done, query the certificate database for the template you are using and filter the results for expiration date after right now.  Compare the results from both CAs, use a windiff program or use findstr in a batch file if its messy.

Special note to pay attention to user encryption certificates (e.g. EFS or email encryption) to make sure you set up your new KRA and/or EFS DRA certificates early.  Also do the EFS certs separately than the machine certs since they directly involve people.  Set up a small pilot group to make sure everything goes smoothly (it should, but upgrading anything seems to cause an issue for somebody somewhere).

When you're confident everything is migrated over, then you are ready to decomission the old CA - see http://support.microsoft.com/kb/889250

If there's anything specific you're worried about, please ask.
Well, I used to teach the Microsoft PKI Certification class and I also co-wrote a book on PKI...

Why are you going direct from 2000 to 2008 R2?
If you want to keep your certificates, might I suggest that you upgrade your PKI to Server 2003, then from server 2003 to 2008 R2.

From 2000 CA to 2003 CA

From 2003 to 2008
MOITExpertsAuthor Commented:

Thank you for your response.  

The current 2000 box that is hosting our Enterprise CA has only 1.6 GB free.  I'm not able to do an in place upgrade of 2000 to 2003.  

Also, it is our central threat management server.  The security admin is not able to move those services to another box  and the 2000 instructions state that the source CA must be renamed and removed from the network.    

Also the second link you sent states that a 32 to 64 bit upgrade is not possible.  In the link below, MS states that 2008 R2 is 64 bit only, there is no OS upgrade path, the CA DB cannot be migrated.  Therefore a new CA will need to be created and the 2000 CA decommissioned.


Thanks for the comment!

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.