Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server

Often a certification authority lives significantly longer than the server on which it was installed. Reasons for migrating the certification authority to a new server, i.e. while retaining the data, can be:

  • Defect or end of life of the server hardware
  • End of life of the server operating system
  • Change of the server name

The procedure for migration is described in detail below.

Basics

The migration of a certification authority consists of the following steps:

  • Preparation of the new server
  • Installation of the certification authority certificates (including private key) on the new server
  • Put the certification authority on the old server into maintenance mode
  • Publish new certificate revocation lists
  • Emergency signing of the newly published certificate revocation lists
  • Create a backup of the certification authority on the old server
  • Decommission the old server
  • Restore the previously created backup of the certification authority to the new server
  • Perform function test
  • Take the certification authority out of maintenance mode

The individual steps are described in more detail later in the article.

Requirements

If the certificate authority is designed prudently, there is no binding to the computer name of the server on which it was installed. Thus, the new server can be given a new computer name without any problems. This variant also has the advantage that the new server can be prepared in advance, which significantly shortens the window of time when the certification authority is not available.

However, even if the certificate authority is bound to the computer name by, for example, an AIA or CDP path that points to the server name, the server name may be changed.

Trip hazards

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Preparation of the new server

The preparation of the server includes, among others:

  • Creating the virtual machine or commissioning the server hardware
  • Installing the operating system
  • Adding the new server to the domain
  • Installation of operating system updates and management software
  • Security hardening of the operating system installation

These steps are not described in detail here, as they are generally valid.

Installation of the certification authority certificates (including private key) on the new server

This step is part of the preparation of the server and can be very extensive under certain circumstances, for example if hardware security modules are used. In order not to lose any time during the migration of the certification authority, this step is therefore carried out in advance.

A description of the installation of the certification authority certificates can be found in the following articles:

Put the certification authority on the old server into maintenance mode

To ensure that the certification authority is in a consistent state during migration, it must be prevented from continuing to accept certificate requests and issue certificates to requesters. For this purpose, the certification authority is put into maintenance mode.

The procedure to put a certification authority into maintenance mode is described in the article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode described.

Publish new certificate revocation lists

In the event that the migration takes longer than planned, it is essential to generate up-to-date blacklists again on the legacy system.

In general, the blacklist validities should be checked and, if necessary, increased before migration. The procedure for configuring the blacklist validities is described in the article "Configuring Certificate Revocation List (CDP) Distribution Points and Authority Information Access (AIA) Extension of a Certification Authority" described.

The procedure for publishing a certificate revocation list is described in the article "Create and publish a certificate revocation list" described.

Emergency signing of the newly published certificate revocation lists

Emergency signing of revocation lists involves re-signing an existing certificate revocation list using the associated private key directly with an extended expiration date. If something goes wrong during the migration, the revocation list operation can continue until the problem could be solved.

A detailed description of how to perform emergency signing is available in the article "Perform emergency signing of certificate revocation lists" to find.

Create a backup of the certification authority on the old server

A detailed description of the individual steps can be found in the article "Create a backup of a certification authority" to find.

Decommission the old server

The old server is now shut down. The certification authority role is not uninstalled beforehand, since part of the configuration is located in Active Directory and can thus be taken over again directly by the new server.

Restore the previously created backup of the certification authority to the new server

Restoring the certificate authority from backup consists of the following steps.

  • Install the Certification Authority role on the new server
  • Adjusting the registry backup from the certification authority backup and importing the settings
  • Importing the certification authority database from the backup

A detailed description of the individual steps can be found in the article "Restoring a certification authority from backup" to find.

When switching from an older Windows Server version to Windows Server 2012 or newer, the procedure for creating the certificate serial number has changed (see the article "How is the serial number of a certificate formed?"). In this case, you should make a conscious decision whether to accept the old potentially unsafe value or switch to the new default setting.

Customize connected services

If the new server is accessible under a different hostname, the services associated with the certification authority, if any, must be modified so that they connect to the new server. This includes:

Perform function test

A detailed description of the individual sub-steps can be found in the article "Perform functional test for a Certification Authority" to find.

Take the certification authority out of maintenance mode

If the functional test was successful, the certification authority can be released again for issuing certificates to the applicants.

For this purpose, the certification authority is taken out of maintenance mode. A description of how this is implemented can be found in the article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode" described.

Related links:

External sources

21 thoughts on “Migration einer Active Directory integrierten Zertifizierungsstelle (Enterprise Certification Authority) auf einen anderen Server”

Comments are closed.

en_USEnglish