PKI – CA Server Replacement

Use the following process to move Certificate Services from one server to another server:

  1. Create a manual backup of the CA database, or gain access to the last manual backup of the CA database.
  2. Create or gain access to a backup of the CA key pair. If using a software CSP, you can include the key pair in the manual backup.
  3. In the Registry Editor, export the following registry key: HKLM\System\CurrentControlSet\Services\CertSVc\Configuration\CAName.
  4. Uninstall Certificate Services and remove the CA computer account from the domain.
  5. Turn off the existing computer, and remove the computer from the network.
  6. Do not reinstall or wipe the computer’s hard drive until the restoration to the new computer is verified.
  7. Build the replacement computer with the same disk partitioning as the original CA.Ensure that the new computer is assigned the same NetBIOS name as the computer being replaced.
  8. If the DNS entries are static entries, ensure that the IP address information for the new computer is the same as used on the computer being replaced. 
  9. If the computer is replacing an enterprise CA, join the new computer to the same domain as the computer being replaced.
  10. Ensure that you copy all configuration files for the replaced CA to the local disk of the replacement CA.
  11. Copy the original CAPolicy.inf file to the %windir% folder.
  12. Reinstall Certificate Services using the existing key pair saved in step 2 of this procedure.
  13. Restore the registry file saved in step 3 of this procedure.
  14. Restore the manual backup of the CA database.
  1. Verify that Certificate Services starts successfully.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s