Hi there I need some advice and guidance around consolidating 2 2003 Enterprise CA's. Server A we are wanting to decommision and seems to have provided a number for user EFS certs. We are wanting to consolidate Server A with the exisiting CA on Server B. Stephane

If you are planning on decommissioning a CA please see the following KB article (http://support.microsoft.com/kb/889250) In addition, since you mention encryption certificates issued by Server A, you should 1) Determine if the private key was archived at the CA (add the Archived Key field to the display of issued certificates) 2) If archived, then determine which Key Recovery Agent certificate is designated as the KRA for each certificate (You can use certutil -getkey or from the 2003 Resource Kit, the Key Recovery tool) 3) Have a Certificate Manager (person assigned Issue and Manage certificates) permission retrieve each archived blob from the CA (Key Recovery Tool is the easiest way). Repeat for each archived certificate. 4) Have a person import the KRA certificate and private key into their certificate store (assumes you have care and control of the KRA certificate and private Key) 5) Use the Key Recovery Tool to extract each PKCS#12 file from the archived blobs ... Repeat for each encryption certificate blob 6) Enable Foreign Key Import at Server B (certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN) 7) Import each PKCS#12 file into the database at Server B using certutil -importKMS . Repeat for each PKCS#12 file Do not do the decomission steps from KB 889250 until you have completed the steps above. Brian

Hi, How's everything going? Please feel free to respond back if you need further information. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

What do we do if the private key was not archived on the CA on Server A? ThanksStephane Favre

If the private key was not archived, the only way to get the keys is to go to the certificate holder's computer and export as P12 at that computer. If the CA database indicates that the private key is not archived there is no way to retrieve the private key at the CA as it has no knowledge of the private key. Brian