Applies to Exchange KMS and Windows Server 2003 CA

The following are the summary steps for migrating Exchange 2000 Server KMS to a Windows Server 2003 CA.

1. If running Exchange 5.5 KMS, upgrade to Exchange 2000.
2. Configure Windows Server 2003 CA for key archival.
3. Ensure that the certificate is available for database migration.
4. Enable the foreign certificate import option on the CA, if necessary.
5. Export the Exchange KMS database.
6. Import the Exchange database into the CA.

Important: Before migrating KMS to a Windows Server 2003 CA, it is important to consider the version 1 Certificate Revocation List (CRL) that is published by the Exchange KMS for Outlook clients in the Exchange Global Address List (GAL). If KMS is migrated to a Windows Server 2003 CA, the version 1 certificates can no longer be revoked. It is also recommended that a KMS migration is only performed when all version V1 certificates are expired and/or are no longer being issued by KMS. If x.509 version 3 certificates are being issued by KMS with a Windows 2000 CA, the existing CA will need to be maintained to publish CRL(s) until all the original certificates issued by KMS have expired.

return to top

Creating an Export Certificate

When a KMS migration to a Windows Server 2003 CA is performed, the export file from the KMS must be encrypted with a public key certificate and then subsequently decrypted by the Windows Server 2003 CA. The CA may or may not have an encryption certificate available to be used for this process. It is absolutely critical that an encryption certificate and private key be installed in the machine store (local machine) of the CA to facilitate KMS migration. Since the process runs as SYSTEM, any encryption certificate and private key available in the machine store may be used. To view the certificates installed in the local machine store, open the Certificates MMC console for the local machine and view the certificates under the Personal store. A Secure Sockets Layer (SSL) or machine authentication certificate will suffice for use in this scenario. The certificate corresponding to the private key that will be used should be manually exported and made available during the KMS migration process. For more information about certificate enrollment and exporting certificates, see the Windows Server 2003 help files. If importing a certificate and key to be used by the CA (*.pfx file), ensure that the certificate is marked for export when importing into the CA. Otherwise, the CA may not be able to use the key and certificate for key import purposes.

• Important: The export certificate used by the KMS should not have a key size greater than 1024 bits because this may cause errors on import to the Windows Server 2003 CA.
• Important: Windows Server 2003 always has an Exchange certificate (encryption certificate) available for the purpose of key archival. Do not attempt to use this certificate for the purpose of migrating the KMS database because it will not be usable by the CA for this purpose.

return to top

Enabling Foreign Certificates Import

If the KMS contains x.509 version 1 certificates and private keys, and/or the KMS was not configured to use the same CA with Windows 2000, the foreign certificate import option must be enabled on the Windows Server 2003 CA.

return to top 

Foreign Certificate Import

By default, a CA does not allow certificates (or keys) to be imported on the CA that were issued by another CA. A CA must be enabled to accept certificates and keys into the database that were issued by a foreign CA. (An Exchange 5.5 KMS issuing version 1 certificates is also considered a foreign CA.) To import a foreign CA

1.    Run the following command in a command-prompt window on the CA.

certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

2.    Once that has competed, restart the service.

Important: When foreign certificates are being imported on a CA, the –f switch must be used with certutil to inform the CA that the keys and certificates will be foreign. The command line would be as follows:

Certutil.exe -f -importKMS [name of import file]

return to top

Exporting Users’ Keys from Exchange 2000 KMS

Important: Before an export of data from the KMS occurs, a full backup of the KMS should be performed and validated before continuing. An export of data from a KMS is destructive and will remove the keys from the KMS database.
Important: If the KMS or the CA is online when the export occurs, the KMS will attempt to revoke all version 3 certificates that are exported. If this occurs, it is important to re-enroll all users immediately with the Windows Server 2003 CA to allow continued S/MIME encryption operations. Otherwise, take the CA offline, so the KMS export operation will not revoke the existing certificates.

To perform the export operation on the KMS

1. Start the Exchange System Manager.
2. Point to the Advanced Security node, right-click Key Manager, click All Tasks, and then click Export Users.
3. In the Key Management Service password box, type the password (the default password for KMS is “password”), and then click OK.
4. The Exchange KMS Key Export Wizard will start. Click Next.
5. Click Browse to select the Certificate that will be used to encrypt the export file. This is the certificate file created in the previous section.
6. Browse for the certificate that will be used to encrypt the export file to the CA. This is the certificate created in the previous section. Click Open.
7. On the Encryption Certificate screen, click Next.
8. When the Encryption Certificate screen appears, use Windows Explorer to find and open the certificate that you chose from the screen in step 6. You will need to validate this certificate with the Exchange KMS Key Export Wizard.
9. Copy the first eight characters from the Certificate thumbprint field in the certificate chosen to encrypt the KMS export file.
10. Type the first eight characters of the certificate thumbprint in the Thumbprint field, and then click Next. 
11. Type the name of the export file. Do not type the path, only the file name. It will be saved in the following location by default. This is based on the default installation for Exchange, which is typically C:\program files\exchsrvr\KMSDATA. This file will not have an extension.
12. Click Next.
13. You may select an alphabetic list of users or select by mailbox store, server, or administrative group.
14. In this case, select all of the administrative groups, and then click Next.
15. To start the Export process after selecting the users or administrative group(s), click Next. The records will be exported—on average, approximately 100 records per minute. The actual performance will vary depending on the hardware configuration.
16. When complete, click Next.
17. The results will be displayed. Click Finish. Note: If large numbers of users are exported, KMS may generate multiple export files and split the exported keys across the multiple files. In this case, all export files should be re-imported to the new CA. The export file will be located in the following folder, typically C:\program files\exchsrvr\KMSDATA.
18. Copy the KMS export file to the server that will accept the import file.

return to top

Importing Users’ Keys

The Windows Server 2003 CA allows not only key archival, but also certificate and key importation to the CA database. Certificate and key importation is important in providing migration services for Exchange KMS, as well as for providing migration and escrow operations for certificates that were enrolled using a third-party CA. The Windows Server 2003 CA supports both certificate import, as well as key import. Certificate import does not require that key archival be enabled on the CA, but key import does.To import users’ keys

1. Log on as the CA Administrator.
2. Open a command prompt window.
3. Change to a directory containing the KMS import file.
4. Run the following command: CertUtil.exe -f -importkms <name of export file>

The output will indicate the status of the import process and the number of user keys imported and archived to the CA. The number of imported user keys should match the output from the KMS. The following is a sample successful output.

Processing KMS exports from:
    O=microsoft,C=US
 
KMS export file signature verifies  
Lock box opened, symmetric key successfully decrypted
..................................
 
Users: 6  
 
Ignored signature certificates: 25  
Certificates with keys: 17  
Foreign certificates imported: 17  
Certificates imported: 17  
 
Keys: 17
Keys archived: 17
CertUtil: -ImportKMS command completed successfully.

return to top