• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

Upgrade Certificate Server From Microsoft Server from 2003 to 2008 R2

we are in plan to upgrade our certificate server from 2003 to 2008 R2 server. need to know the steps to upgrade the certificate server from 2003 to 2008 R2. We have two servers for certificate online and offline. both are virtual machines.
0
Sekar Chinnakannu
Asked:
Sekar Chinnakannu
  • 5
  • 5
1 Solution
 
Svet PaperovIT ManagerCommented:
0
 
Sekar ChinnakannuSenior EngineerAuthor Commented:
Excellent Steps, Can you help me to do with a different server name and with redundancy. I have deployed two servers in same network and need to configure certificate server with redundancy. Also our certificate servers are separate not integrated with AD.
0
 
Svet PaperovIT ManagerCommented:
If you want to keep the same CA you have to keep the same computer names, there is no other option. Otherwise, it will be like a new CA.

For stand-alone servers, you just skip the steps of adding and removing the server from the domain.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Sekar ChinnakannuSenior EngineerAuthor Commented:
so how about the data store files where all the details will be stored? when i configure redundancy the need to be replicated right? also If one servers goes down how the other server will fetch certificate config? Also please let me know the best practice to setup standalone server. How about Ip because all new servers are going to be in new data center with new ip range.
0
 
Svet PaperovIT ManagerCommented:
IP addresses: they can be different, no problems there

About HA of the CA, sorry cannot help
0
 
Sekar ChinnakannuSenior EngineerAuthor Commented:
Hoe can I verify after completion of CA upgrade?
0
 
Svet PaperovIT ManagerCommented:
One way will be to compare the fields of root certificate, especially the thumbprint.

For example, if you have a certificate issued by the old CA, open it and follow its certification path up to the top root CA. Take a note of the thumbprint and the serial number. Then, issue a new certificate from the new CA and do the same for it: follow the certification path up to the top root CA and compare its thumbprint with the previous. They should be equal.
0
 
Sekar ChinnakannuSenior EngineerAuthor Commented:
Is there any risk involved with making this change and if so what are they and what affects can they have.  So for example if the change does not work and the CA is down for an extended period of time at what point does it start to affect production.
0
 
Svet PaperovIT ManagerCommented:
It depends where the list of the revoked certificates (CRL) is published and, with non-AD integrated CA, how the root CA certificate is distributed.

On AD-integrated Root CA there is a low risk of relatively short (several hours) offline because the root CA certificate and the CRL are published in the AD.

With a stand-alone CA, if the CRL is published on different server, there should not be a problem either. But if the CRL is on the CA, you must not leave it offline for a long time; otherwise some CRL verifications could fail.

The CRL Distribution Points (CDP) are listed on the Extensions tab.

May I ask: what is the purpose of this CA? Is it a Root CA or it is certified by another CA?

I would suggest the following book Windows Server 2008 PKI and Certificate Security http://www.microsoft.com/learning/en/us/book.aspx?id=9549&locale=en-us. It explains all you need to know about Windows Server CA.
0
 
Sekar ChinnakannuSenior EngineerAuthor Commented:
Thanks
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now