icanhazfiles

So You Wanna Migrate a CA Server?

The Other Dude With Knowledge -

Alright well this is what you're gonna need to do.

Step Numero Uno : Backup your CA database and it's config


1. Login to your server, (Im assuming your an admin on this box, if youre not, let me holla at your CySec Team right quick, because they gonna learn today)
2. Server Manager -> Tools -> Certification Authority
3. Rick Click on the server name -> All Tasks -> Backup CA

4. Click Next on the Wizard Screen
5.Select both boxes "Private key and CA certificate" as well as "Certificate database and certificate database log", then save that shit somewhere you wont lose it.

6. Next your way to the password screen, then set a strong password, and document that bitch, otherwise you'll be doing steps 1-5 again when youre ready to migrate.
8. Hit "Finish"

Step Numero Two : Backup That Reg Key

  1. Win Key + R -> type "regedit", hit enter.  
  2. Find the configuration key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
  3. Right Click "Configuration" and select "Export"
  4. Save that shit to the same directory you just saved your super secret CA database backup

3 - Go ahead and kill the CA role from the old server

  1. Server Manager -> Manage -> Remove Roles and Features - > unselect "Active Directory Certificate Services", then Next your way to glory.
  2. Bounce the server or just shut it off when done.  It's dead Jim.

Step Fo': New CA Server Config

NOTE* - When spinning up your new CA, make sure to give it the same name as your old CA, otherwise youre just making your life more difficult

1. Login to your new server, Server Manager -> Add Roles and Features
2. Install the Active Directory Certificate Services role
3. When prompted for Role Services, select Certificate Authority and Certification Authority Web Enrollment, then next your way through the menus

Step 5: Provision AD CS

  1. Server Manager -> AD CS.  You'll see a yellow banner asking you do configure ADCS.  Click more

2. Click "Configure Active Directory Certificate Service"

3.  Ensure proper creds for Enterprise Admin
4. Select Certification Authority and Certification Authority Web Enrollment, then click next
5. Make sure "Enterprise CS" is selected as the setup type
6. Select Root CA as the CA type, then next
7.Since we're doing a migration, select "Use Existing private Key" then "Select a certificate and use it's associated private key.

8. Check Import in the AD CS config window
9. Select the key we backed up in step Numero Uno, then enter that sweet sweet documented password and hit "OK"
10. Next your way to victory, we're almost done

Step 6 : Restore that backup

  1. Server Manager -> Tools -> Certification Authority
  2. Right Click on the server -> All Tasks -> Restore CA
  3. Click OK on the window telling you youre about to break stuff and stop services
  4. Click Next to start Cert Authority Restore
  5. Check both boxes, to restore Private Key and Database, then select where the stuff is saved
  6. Enter that sweet sweet documented password
  7. Finish then bounce the service

Step 7  : Remember the Reg Key?

  1. Find that registry export you made and just run it.  
  2. Magic, that's it.  thanks

Congrats, you did the stuff and hopefully no one is outside your office door with pitch forks.