Hi, I just need a final confirmation of my plans, to migrate a CA infrastructure (one standalone root with 3 subordinate issuing CAs) from W2K3 to new servers under W2K8 R2 with new names: If I browse the Internet or if I read some books (including the PKI-book from MS Press from Brian Komar) I read several things about migrating CAs to other computer with different names. Some of the articles say, that this is not a problem and some are telling me, that this would be a no go... I figured out, that the key aspect is the CRL publication point, which includes the name of the old server. So to clarify, I like to ask, whether this is still a problem if I export and import the reg-keys from the old CA server, which includes the publication points of the old server - that means I will have 2 publication points in AD (one with the CN of the old server and one with the CN of the new server)? In my opinion the new CA will publish the CRL to either place and so the already issued certificates are able to check an actual CRL at the old place as well, as long they didn't renew their certificate with the new information in it. Am I right with that? Further I will extend the validity of the CRL in advance and republish it in AD (just for my own security ;-D). Mainly I will follow the following article: http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx (Option A) I'm a little bit unsure about this question, because I read in Brian Komars book in chapter 14 (questions to the case study), that I cannot rename the NetBIOS-name of the computer during recovery of a CA (which is almost the same, as a migration to another server). Thanks for your comments and your clarification! Cheers, André

Now you can migrate CA to a new server with different host-name. However this requires some manual stuff. See for details: http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Yes - I think so too - but the key point of my question is the CRL publication points: Am I right, that I have to add the old path in AD with the old server CN into the publication points (including the permissions)? I have read the migration guide already - but I need a confirmation about this point. I think, that is the only thing, which I don't have confirmed till now... Btw: Since when the migration with name change is allowed and why?

> Am I right, that I have to add the old path in AD with the old server CN into the publication points (including the permissions)? I think — it is not necessary. Just replace <ServerDNSName> and <ServerShortName> with explicit values pointing to old CA name. First time you may need to manually publish CRLs to old location (to fix permissions) by running this command: certutil -dspublish -f crlfile.crlMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims Thanks for your hint and your information! Cheers, André