I was doing an upgrade for a Certificate Authority Windows Server acting as a stand alone Root CA from Windows 2008 R2 to Windows 2012 R2. The procedure is the same if you are upgrading form previous Windows versions.
To the upgrade, you have to do the following:
- Backup the old Root CA.
- Install Certificate Services in a new Windows 2012 R2.
- Restore the DB, Private Key, and the CertSvc registry key on the Windows 2012 R2 server.
- Perhaps decommission or destroy the old Root CA.
Backup the old Root CA
Let me say this. A Certification Authority Service is nothing but three components:
- The Certification Authority Private Key.
- The Certification Authority Database Files (DB and Log) : here is where all issuer and revoked certificate information resides.
- The Certification Authority Configuration : This is where all CA settings are preserved, like the CA CDP and AIA locations. The whole configuration is stored in this registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc].
Certificate templates are stored in Active Directory under the Configuration Partition, so no need to worry about them.
So let us start performing a full backup of the old CA server:
- Log on to your Root CA, open the Certificate Authority console.
- Right click the CA name and go to All Tasks> Back up CA..
- Click Private key and CA Certificate and Certificate database and certificate database log. Choose a backup directory
- You have to protect the exported private key with a password. Enter a strong password. Click Next and you are done.
- Now open the registry and Export the following registry: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc.
- It is also a good idea to backup the CAPolicy.inf file located at C:\Windows directory if it exist.
- Finally, make sure you document the state of the old Root CA, like:
- Server Name
- Drives layout
- Location of the folders where the CA database and logs are stored
- I also recommend taking Full Server Backup and System State backup to the old Root CA server just in case. System State backup is the best bit for restoring a CA server.
Note: A good way to document the configuration of the CA is to use certutil –getreg command [check this article]. You can output the result in text file if you want by typing:
certutil –getreg > C:\oldCA_config.txt
Restore Root CA to Windows 2012 R2
Install Windows 2012 R2 on a new server with same name and drives layout, make sure it is fully patched, and then follow the below steps:
- If in the old Root CA, you are storing the CA database in C:\DB and the CA DB logs at C:\Logs, then make sure to create these folders in advance on the new Windows 2012 R2 server.
- It is recommended that drives match. So if you have C and D drives in the old Root CA, make sure you have the same drives on the new Windows 2012 R2 server.
- Go to Server Manager and Click Add roles and features.
- Click Active Directory Certificate Services.
- Since this is Root CA, only pick the Certificate Authority role service. Complete the wizard till the end.
- Go to Server Manager again, click the flag icon that has a warning sign on it, and choose to Configure Active Directory Certificate Services... .
- Select Certification Authority for services to configure.
- In this step, you have to choose the old Root CA private key file that you have from your backup.
- In the Certificate Database location page, make sure to choose the same location the old Root CA has. Pre-create folders if you are using custom locations.
- Now we have installed the Root CA on a new server and the only thing we have restored is the CA Private key.
- Open the Certification Authority Console. Right click the CA name, and choose All Tasks > Restore CA.. .
- Choose only Certificate database and certificate database log. No need to choose Private key and CA certificate as this was restored during the installation.
Note: An important note to mention here is the following. If you have clicked Browse and you’ve picked the folder named Database that the Backup wizard in the old Root CA generated before, you will get an ugly error. The restore wizard expects you to choose a folder that contains a sub-folder called DataBase, not to choose the DataBase folder itself.
- Finally, browse the registry to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, and backup that registry location just in case.
- Then go to to your backup, copy the registry key backup that you made for the same registry location, right click it and click Merge.
- The registry keys you have merged contains all the CA settings, including the CDP and AIA extensions. Just to make sure everything is fine, open the CA properties on the new Root CA, and compare them with the old Root CA properties. Pay attention to the Extension tab.
Finally, I would go and use the Backup CA wizard in the new CA, to backup the private key and database files, and i would also using Windows Backup to take Full Server backup to the new CA just in case. Do not forget to reset the local administrator password and use complex one instead.
As for the old CA, usually it is a virtual machine, i would typically destroy the VM and that’s it.
I want also to recommend this YouTube video that goes through the whole process.