How to migrate internal certificate authority to another server

My current domain functional level is 2003
I would like to raise it to 2008, but I need to retire a domain controller running windows server 2003.
This wouldn't be too difficult except this domain controller is running Active Directory Certificate Services, which I don't have any experience with.

I would like to migrate the certificate authority to a single server running Windows server 2012 R2, which is NOT a domain controller.

1. Is it possible to use Windows server 2012 R2 as your certificate authority when your domain functional level is 2003?
2. Does the new certificate authority need to be a domain controller?
3. I've read that migration is possible using backup and restore, but you need to make sure the enterprise root certificate name is the same on the destination computer.  I ran certutil.exe from the command prompt and it generated 3 entries.  How do I know which one is the proper root certificate name.  One of the entries says (Local) and is the only one pingable.

***answers to these questions would be greatly appreciated and if you have any step by step instructions the would be helpful as well.

Thank you
Ryan MignosaSystems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
1. Is it possible to use Windows server 2012 R2 as your certificate authority when your domain functional level is 2003?
DFL doesn't matter

2. Does the new certificate authority need to be a domain controller?
It should not be installed on a domain controller.
certutil -backup <BackupDirectory> tp back up
certutil -restore <backupdirectory>

suggest you go to a structured CA -- a root CA that is offline only generates certificates for a subordinate CA.. create this in a VM and put the vm on a flash drive and store it in the company safe.
use the subordinate CA for everything.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Guy LidbetterCommented:
Hi there Ryan,

Although PKI seems convoluted, its actually quite simple, and migrating to a new PKI structure isn't that difficult.

As David already gave the answers needed above, I'll go on about how to best do this...

There are a few differences between a 2003 CA and a 2012 PKI, and moving to a proper 2012 PKI is definitely the way to go to be future proof, especially in light of recent algorithm changes. (i.e SHA1 deprecation - google it for more info).

My own suggestion would be to build a parallel PKI structure alongside what you currently have, once running and tested, fully decomm the old one. No need for migration etc... any issued certificates will remain valid until such time as they expire, regardless if the old CA is online or gone... but in saying that, part of best practice when removing a CA is to revoke any issued certificates and publish the CRL (Certificate Revocation List), then get them to get their new certs from the new CA.

My suggestion, as David suggested above, is to have an offline root CA, which you only bring online on a scheduled bases to renew the ROOT certificate. The period of validity and encryption level can be anything you want really, the heavier the encryption the longer you can have it offline. (PS offline Root CA is non domain joined, and literally switched off...we use a shutdown VM, the last place I worked used an old laptop in a safe.)

All the certificate stuff will be handled by an online, domain joined SUB CA acting as an intermediary certificate authority.

Right... now fire away with all the questions I know you have....


Ryan MignosaSystems EngineerAuthor Commented:
Guy and David,

Thank you very much for taking the time to answer my questions.  I spent a fair amount of time yesterday doing research before responding, which is what caused my delay in replying.

I really like the idea of bringing up a new CA side by side with the old.  This is because the old CA is also a domain controller with the infrastructure master fsmo role, a secondary DNS server for the domain, and DHCP server.  I just started with this company so i'm not responsible for the current setup or have any history as to why things were done this way.  The main reason for this project is to start distributing SHA-2 certificates and retire another 2003 server.

Question #1:  What factors would determine whether you do a CA migration or parallel build?  Before the 2nd recommendation I was planning on following this document for the cutover: Guy, do you have any documentation to go along with your recommended solution?

I was building these questions before Guy's response:

Question #2:  How can I confirm that i'm working with the Enterprise Root, Standalone, or subordinate CA?  Like I said i'm new to the company and I don't have any history.  I need to make sure i'm working with the Root certificate authority and that no one has stashed the Root in a safe somewhere.

Question 3:  All the documentation I've read says you need to migrate the CA and in this process you need to ensure you maintain the CA name.  I thought this was an internal name to CA, but after reading yesterday this appears to simply be the name of the server.  Is this correct and thus the reason you must uninstall certificate services and remove the original server from the domain before you configure the new server?

Question 4:  How can I find the name of the enterprise root certificate authority?  This question I had before I figured out that this is likely the name of the server.  I ran certutil.exe and produced 3 entries:  Entry 0 is the name of my company, Entry 1 is the name of my domain, and Entry 2 (local) is the name of the server i'm trying to decommission.  Furthermore I opened ADSI Edit, went to CN=Services, CN=Public Key Services, CN=Certification Authorities and found these entries:

CN=domain name
CN=old CA server name
CN=company name

Question 5:  Up until today I've been running the Certificate Authority (local) app to review the environment and certificates.  This was concerning because I didn't see as many templates as I did in ADSI Edit.  Today I found PKI Management and things look a lot more like i'd expect such as a full template list, certificates using the Root Certification Authority template and issued by the server i'm working on.  If I end up doing a migration and I backup the CA using the CA app will it capture everything i'm seeing in the Public Key Management app?

Question 6:  Testing and Certificates:  What are recommended testing procedures whether I migrate or side by side transition? I have the following certificate types that i'll need to reissue as SHA-2:

Root certificates
Cross Certificates
Web Server
Domain controller

Do I need to revoke the certs on the old server before reissuing on the new server?  Could you explain the process of reissuing certificates using SHA-2?
David Johnson, CD, MVPOwnerCommented:
How can I confirm that i'm working with the Enterprise Root, Standalone, or subordinate CA?
If you open a certificate and go to the certificate path you will see that info
digicert -> subordinate ->  certificate
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.