2000 to 2008 R2 Certificate Authority Migration - Needs an CA Expert

Posted on 2011-10-17
Medium Priority
Last Modified: 2012-06-21
inf02 = 2000 CA
inf03 = 2008 R2 CA


I have a 2008 R2 AD at that level.  I understand that there is no migration path from 2000 to 2008 R2 because it would be a 32 to 64 bit change.  A 2008 R2 CA has been installed along side of a 2000 CA.  The goal is to direct new clients to the new 2008 R2 CA through manual and autoentrollment, and then decommision the 2000 CA.  

On inf03 in Server Manager\AD Certificate Services\Enterprise PKI I see inf02 (v3.0) and the new CA is listed as inf03 (v0.0).  In AD Sites and Services\Services\Public Key Services, I see both CAs listed under AIA and CDP.  My certificate templates appear to show updated certificate template.  Certutil.exe -dump shows a certificate for both CAs when run from either the 2000 or 2008 R2 CA command prompt.

Before try to move this forward and create an enrollement policy, I wanted to see if there is a CA Expert that has experience with this situation.


Question by:MOITExperts
LVL 15

Expert Comment

ID: 36982428
Well, I used to teach the Microsoft PKI Certification class and I also co-wrote a book on PKI...

Why are you going direct from 2000 to 2008 R2?
If you want to keep your certificates, might I suggest that you upgrade your PKI to Server 2003, then from server 2003 to 2008 R2.

From 2000 CA to 2003 CA

From 2003 to 2008

Author Comment

ID: 36985992

Thank you for your response.  

The current 2000 box that is hosting our Enterprise CA has only 1.6 GB free.  I'm not able to do an in place upgrade of 2000 to 2003.  

Also, it is our central threat management server.  The security admin is not able to move those services to another box  and the 2000 instructions state that the source CA must be renamed and removed from the network.    

Also the second link you sent states that a 32 to 64 bit upgrade is not possible.  In the link below, MS states that 2008 R2 is 64 bit only, there is no OS upgrade path, the CA DB cannot be migrated.  Therefore a new CA will need to be created and the 2000 CA decommissioned.


Thanks for the comment!

LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 36995729
If your root was still on 2000 then its probably getting about time to rekey anyways, which would mean a new root deployment regardless.  Upgrading a CA twice is just a lot of work, and although 32 to 64 bit is actually possible (contrary to much early mis-documentation), my recommendation is to start clean and do a gentle migration to the new CA rather than risk everything by upgrading the existing box and migrating the hardware.


Get your new CA up and running, create a test template and verify that everything is working right for autoenrollment, manual enrollment, etc. Once you feel comfortable, issue an existing template over to the new CA and then delete it from the old CA (read: delete from certsrv.msc - certificate templates... do not delete from certificate templates MMC certtmpl.msc).  If you have a lot of clients, you should see results automatically, if not then you can use the templates mmc to right-click the template and re-enroll all certificate holders if you want to force it.

When you're done, query the certificate database for the template you are using and filter the results for expiration date after right now.  Compare the results from both CAs, use a windiff program or use findstr in a batch file if its messy.

Special note to pay attention to user encryption certificates (e.g. EFS or email encryption) to make sure you set up your new KRA and/or EFS DRA certificates early.  Also do the EFS certs separately than the machine certs since they directly involve people.  Set up a small pilot group to make sure everything goes smoothly (it should, but upgrading anything seems to cause an issue for somebody somewhere).

When you're confident everything is migrated over, then you are ready to decomission the old CA - see http://support.microsoft.com/kb/889250

If there's anything specific you're worried about, please ask.
LVL 27

Expert Comment

ID: 37169440
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question