Building a new PKI
Hi Not sure if this has been asked but I am in the process of building a system in parallel (building a copy of the AD DS setup we currently have - e.g. we currently have domain.com.au and we are building a new domain.com.au). The reason we are doing it this way is because we are moving from 32 bit to 64 bit and we want to leave the existing environment untouched. We only really seem to use certificates for the domain controllers (not a problem) and we also manually obtain certificates for certain senior users (very small number) the ability to encrypt emails between certain people for confidentiality. It is my understanding that in order to maintain our users keeping access to these old encrypted emails as well as being able to encrypt new emails it should be possible as long as I import the users certificates as well as the CA certificate that signed the users certificates in to the new Certificate Authority server. I can't find any relevant material.
February 1st, 2010 6:07am

If your current PKI works without any problems I would advice to migrate current PKI from x86 to x64 servers, not to build a new one from scratch. While x86 and x64 CAs are fully compatible it will not difficult process. In general you will need to:1) backup each CA as described here: http://technet.microsoft.com/en-us/library/cc737405(WS.10).aspx2) remove certificate services from each CA.3) make sure if CA recorfds are removed from AD: CN=Configuration,CN=Services,CN=Public Key Services,CN=Enrollment Services.4) install certificate services on new server. When you will be prompted for CA certificate import pfx file from CA backup.5) make sure if CA recorfds are updated in AD: CN=Configuration,CN=Services,CN=Public Key Services,CN=Enrollment Serviceslooks like it is all. For additional information please check this: http://support.microsoft.com/kb/298138http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 9:58am

I was under the impression that it wasn't possible to migrate a 32 bit certificate authority over to a 64 bit system due to database incompatibility. My understanding is that while it is possible to backup the CA Certificate and private key and import it in to the new Certificate Authority server to maintain users being able to access encrypted emails using their User Certificate there doesn't seem to be any way to migrate the database to revoke the users certificates when they are no longer valid. The reason I am doing this in a new environment is so we can let the users work without interruptions and then migrate everything across while preserving the original infrastructure which will at that time be switched off and destroyed (not literally, but it won't ever touch our live systems without being decommissioned).
February 2nd, 2010 2:02am

Hi, It is possible to move CA from a x86 computer to x64 computer. As the database will be restored, the operation does not affect the revoked certificates. For the detailed information, please refer to the following article: Performing the Upgrade or Migration http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2010 5:42am

Hi Joson I just noticed that the migration of a CA to a new forest is not currently supported. Like I said above, the primary use of CA for us is to issue User Certificates to a select group of people so they can send encrypted emails internally. We currently use Windows Server 2003 and are moving to Windows Server 2008 R2. If I were to create a new forest using the same forest name and directory structure (E.g. old forest is named domain.com.au and the new forest will be named domain.com.au, the CA server names will be identical, etc) would I be able to use the steps in that article to backup my CA and restore it to the new forest and then migrate the individual user certificates? My thinking is that this should bring all of the issued certificates over and those certificates would then be published to the CRL. There are quite a few users with huge amounts of encrypted emails going back many, many years, I need them to be able to retain access to those emails in the new system and when their certificate comes up for renewal I can then just go through the normal process of obtaining another user certificate so they can continue to send and receive encrypted emails internally. My thoughts are, if the forest name is the same, if I have a copy of the database, a copy of the CA certificate with private key that was used to sign the users certificates and find a way to force the CRL to publish to the same location that it was previously being published to then what would the issues be?
February 4th, 2010 3:58am

Hostmaster-ablaw, Were you able to sucessfully run a parallel pki environment and slowely move things over?
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2011 6:09pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics