Move Certificate Authority to another Windows 2000 Server

by Jim Boyce | Jul 24, 2006 7:00:00 AM

Tags: PRODUCTIVITY, Servers, Microsoft Windows, Jim Boyce, Certificate Authority, computer, old computer, new computer, database, Microsoft Windows 2000 Server, Microsoft Windows 2000, server, Windows 2000 Server Tips Newsletter

Takeaway: At some point when working with Windows 2000 Server you may find that you need to install your Certificate of Authority (CA) on a different computer. Jim Boyce explains how to prepare both old and new servers for CA transfer.

When you install Certificate Authority (CA) on a server, you normally do everything to protect this server and the data it's storing. If you ever need to move the CA with all the data to another Windows 2000 Server computer, here's how to do it.

Perform these steps on the old computer currently running CA:

1. In a central location, create a backup of the old machine, the CA cryptographic keys, and database. You can do this by running the CA console, selecting the computer name, and then selecting Backup CA in the Action menu under All Tasks.
2. When the wizard asks you which items to back up, select Private Key, CA Certificate, Issued Certificate Log, and Pending Certificate Request Queue.
3. After the wizard completes, you'll get a file with a .p12 extension and a folder named DataBase.
4. Back up registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\
   Configuration\<CA_Name>. Replace <CA_Name> with your CA's name.
5. Run Cmd.exe to open the Command Prompt, type "certutil —shutdown" to stop the Certificate Services, then type "certutil —key" to list all the keys installed on the server. You'll notice one with the name of your CA server.
6. Type "certutil —delkey <CA_Name>" to delete the key with the name of your CA server. (If the key includes spaces, enclose it in the quotes.)
7. Uninstall the Certificate Services.
8. Since the new computer must have the same name as the old one, you must either remove the old computer from the network, or rename it.

On the new computer, follow these steps:

1. Copy the cryptographic key and the database from the old computer to the new one. (Make sure the new computer has the same name as the old one.)
2. Install the Certificate Services on the new computer through Add/Remove Programs in the Control Panel. Select the Advanced Install option on the Certificate Authority Type screen.
3. On the next screen, click Import and browse for the key you exported on the old computer. The file has a .p12 extension.
4. During setup, make sure you specify the same log and database paths as on the old computer.
5. After the installation completes, start the Certificate Authority console and restore the Database by selecting the computer name. Then, in the Action menu under All Tasks, click Restore CA.
6. Restore the backed up registry key.

Remember: Before you can move the CA and the key database to another computer, you must give the new computer the same computer name as the old one, and the log and database file paths must be the same.

Reminder: Before making any registry edit, be sure to first back up the registry so that you can restore it if something goes wrong.

Miss a column?

Check out the Windows 2000 Server archive, and catch up on the most recent editions of Jim Boyce's column.

Want more Win2K tips and tricks? Automatically sign up for our free Windows 2000 Server newsletter, delivered each Tuesday!

Print/View all Posts Comments on this article

What about a server with different name?jim@...  | 09/07/06