I recently posted here about my plans to upgrade our existing 2003 Enterprise PKI to 2008. My first part of the migration was to 'upgrade' the 2003 Ent root CA to 2008 (R1). This completed ok, and the CA is online and seems to be working ok. Remember, this was an in place upgrade, so all existing settings would have been inherited by the upgrade. Second phase will be to backup and restore the CA config from the old subordinate 2003 CA to a new 2008 (R2) CA that will keep the same IP and hostname. My questions involve the following; 1. I've noticed that when trying to manually requesting a new user or computer cert using the MMC/Certificates snapin from XP (SP3) clients (using Advanced options), you no longer get the option of selecting the upgraded RootCA. I can still see the 2003 subordinate, but the 2008 CA is just not listed (it was always available before the upgrade). From what I can tell though, it is still issuing certs to XP clients via autoenrollment. XP clients can also access the 'old' web enrollment GUI for user certs. Is there a reason for this. Is this the role of the Online Responder? As this is an 'upgrade', I've established that the HashAlgorithm and Provider details are still running at compatabile (legacy) levels. 2. I'm also guessing that the 'upgrade' to a 2008 CA is going to need a bit more work. The manual cert request process on 7 clients now requires a URI. Is there a document on how to go about this (assume post-upgrade to 2008) 3. Will the 2008R2 CA restore a CA config backed up from a 2003 (non-R2) CA? Docs I've seen imply you either need to export from 2003, import to 2003 then upgrade to 2008, or upgrade the 2003 CA server to 2008, export the CA config, then restore this onto the 2008 host. Can I go direct though?

Hi, #1. When you say "I can still see the 2003 subordinate", do you mean that you have not decommissioned the old CA? Please open adsiedit.msc and check if the upgraded RootCA is displayed in "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=" #2. Do you mean that you cannot request certificate from a Windows 7 computer? Do you see the "Active Directory Enrollment Policy" when you request certificate via the MMC console? #3. Yes, we can backup CA on a Windows Server 2003 computer and restore it directly on a Windows Server 2008 CA. http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sorry if some of the questions didn't make obvious sense. What I mean by (1) is that, when a legacy client (in this case XP SP3) requests a 'new' certificate through the mmc/Certificates snap-in, when you select the Advanced option in the wizard, you should see a list of all the available CA's to select from. Before upgrading the 2003 Enterprise CA to 2008, both root and subordinate CA's were listed, and you could select either. Now, following the first phase upgrade, I only see the subordinate CA in the list (still currently running 2003 Ent). Looking at the role of the Online Responder, one of the functions is certificate signing. Do I need to manually add this role to the 2008 CA's to make them selectable in the list? If not, what could be the reason why the 2008 root CA no longer appears when making a manual certificate request? As for (2), yes, when requesting a new cert using the mmc/certificates snap-in, I do see the Active Directory Enrollment Policy option, and selecting this gives me a list of published certificates to select from. This is fine, but is setting up a URI a requirement, or just an option. Are there any downsides to not having a URI configured in a 2008 PKI? We are upgrading our domain clients from XP to 7, but we're expecting this will take some time, so XP clients will be on the network for some time yet. Thanks for confirming (3), this should make my life easier. There are MS documents that contradict this, and say you must perform an intermediate upgrade of the O/S before restoring the CA configuration. My only issue doing this is that the subordinate CA I'm taking the backup from was originally a Windows 2000 DC, subsequently upgraded to 2003. This means the Certlog folder is actually in C:\WINNT\System32\Certlog. The Windows 2008 DC obviously uses C:\WINDOWS\System32\Certlog. I understand I have to restore the files to the same location they were backed up from, so in this case I will have to create the 'old' path on the 2008 DC, restore the files to there, then move the database by updating the associated registry keys. If you can confirm this, that will help greatly.

Hi, #1. We don't have to install Online Responder. As I mentioned in my previous post, please open adsiedit.msc and check if the upgraded RootCA is displayed in "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=" In addition, please checking the connectivity between the Windows XP client machine and the RootCA by running certutil -ping -configure Machine\CAName on the Windows XP machine. #2. Generally speaking, we need to create Enrollment Policy when we use Certificate Enrollment Web Service. Since this service is not being used in your environment, we don't need to set up a URI. We request certificate selecting the Active Directory Enrollment Policy, the default Active Directory domain controller URI. #3. Yes. As far as I know, we will have to have the %systemroot% same on windows 2000 & windows 2008, that is C:\Winnt\system32\certsrv. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How are you? Any update on the issue? If there is anything unclear, please feel free to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.