Certificate Authorities Upgrade

Certificate Authorities Upgrade

If you want to upgrade the Certificate Authorities from Windows Server 2003 to Windows Server 2008 the easiest way is by following the next steps.

  1. Install IIS on Windows Server 2008.


  3. Perform a CA Backup (CA Database, Certificate Keys)

  4. Perform a Backup of the CA Configuration

    1. reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration


    Record the configured certificate manager restrictions
  6. Verify the Issue and Manage Certificates permissions

  7. Uninstall Certificate Services

  8. Change Server Name (Source Server)

  9. Rename Windows Server 2008 with old CA hostname.

  10. Join the target server to the domain

    1. Log on with local or enterprise administrator permissions to the CA computer.

    2. Click Start, click Run, type servermanager.msc, and then press ENTER to open Server Manager.

    3. In the console tree, click Roles.

    4. On the Action menu, click Add Roles.

    5. If the Before you Begin wizard appears, click Next.

    6. In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.

    7. Make sure that Certification Authority is selected, and click Next.

    8. Choose if you are migrating to an enterprise or stand-alone CA, and click Next.

    9. Specify either Root or Subordinate CA, depending on the source CA, and click Next.

    10. At this stage, you have a choice between creating a new private key or using an existing private key. Use the second option for a migration.

      1. To create a new CA certificate and key, select Create a new private key.

      2. For a migration, on the Set Up Private Key page, select Use existing private key.

      3. Click Select a certificate and use its associated private key, and click Next.

      4. If the CA certificate has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.

      5. Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.

      6. Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK.

      7. On the Select Certificate page, click Next.

      8. Complete the rest of the installation wizard to finish installing AD CS.

      9. Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)

      10. If the CA is installed on a workgroup computer or an existing private key was reused, optionally set the distinguished name suffix, and click Next.

      11. If the CA is a new root CA, set the validity period for the certificate generated on the CA, and click Next. Otherwise, skip this step.

      12. If required, configure the database location paths, and click Next.

      13. If you are installing a subordinate CA, select whether to save the certificate request or submit it directly to the CA, and click Next.

      14. To install AD CS, click Install.

    Install CA Services

    1. Restoring a CA consists of the following tasks:
    2. Restore the CA database.
    3. Restore the CA registry configuration.
    4. Restore the certificate template configuration and other settings.
    5. Configure and verify security settings.
    On the target computer where a CA has already been installed, perform the tasks in the order shown. Restoring the CA database and configuration assumes that a CA has been installed with the default parameters. The configuration will be overwritten with the settings from the CA configuration backup.

    a.       To import the CA database from the source CA to the target CA by using the Certification Authority snap-in

    b.      Log on with administrative credentials to the target CA computer.

    c.       Open the Certification Authority snap-in.

    d.      Right-click the node with the CA name, point to All Tasks, and then click Restore CA. Click OK to confirm stopping the CA service.

    e.      In the CA Restore wizard, on the Welcome page, click Next.

    f.        On the Items to Restore page, select Certificate database and certificate database log. Click Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.

    g.       Enter the password you used to export the CA database from the source CA, if a password is requested.

    h.      Click Finish, and then click Yes to confirm restarting the CA.

     Restore CAThis is a litle step by step guide to Upgrade the Certificate Authority role from Windows Server 2003 to Windows 2008. 

Leave a Comment
  • Please add 5 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
  • Maheshkumar S Tiwari edited Revision 2. Comment: Added tags

  • Tony Soper_MSFT edited Original. Comment: corrected typo in title

Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Tony Soper_MSFT edited Original. Comment: corrected typo in title

  • The formatting issues make me think this is still in progress. If so, we might want to make that clear in the article.

  • Maheshkumar S Tiwari edited Revision 2. Comment: Added tags

Page 1 of 1 (3 items)