I am planning on moving my certificate authority from 2003 32 to 2008 64bit. I have the documentation on how to do this, but how do I test this in a test network? How can i confirm that it worked successfully? What will happen if this fails during the real one, will anything that is using certificates fail? (PEAP, IIS, etc)

Basically you should be able to create a seperate Certificate chain with the new CA. When you can confirm your running on that chain, you can remove the old one.

Hell, the better forum about security is: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

You need to perform the following tests: 1) run Certification Authority MMC snap-in and ensure if you can connect to DB and settings in the properties are correct. 2) Publish new CRLs and check for the CRL number. 3) run PKIView.msc MMC snap-in and ensure if all is ok. If so check for the CRL number. The number must be the same as shown in the Certification Authority MMC snap-in. 4) try to enroll a certificate from this CA server If all steps succeed then it is most likely the migration was successful.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Hi s10xtremenlow, Thank you for your updates. Here is thread that provide the way to test migrated certificate authority: 1. Use domain computer to get a test certificate 2. Publish CRL manually from CA (certutil -crl) 3. Export the certificate you got in step one into a .cer file (suppose it is named test.cer) 4. Use certutil -urlfetch -verify test.cer 5. Review results This way you'll check that 1) CA issues certificates and CRLs 2) CRL points are reachable If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan

Hi s10xtremenlow, Thank you for your updates. Here is thread that provide the way to test migrated certificate authority: 1. Use domain computer to get a test certificate 2. Publish CRL manually from CA (certutil -crl) 3. Export the certificate you got in step one into a .cer file (suppose it is named test.cer) 4. Use certutil -urlfetch -verify test.cer 5. Review results This way you'll check that 1) CA issues certificates and CRLs 2) CRL points are reachable If there are more inquiries on this issue, please feel free to let us know. Regards, Rick Tan steps 3-5 might not be helpful. This is because the certificate can be checked against previously (prior to migration) published CRL that is still valid. In this case it is necessary to wait until previously published CRLs will expire.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com