I have an Enterprise Root CA protected by nCipher's nFast Key Safe product. This Enterprise Root CA is running on a Server 2003 Domain Controller that is in very bad shape - needs rebooted quite often.Rebooting this server causes problem because each time, the CA will not work until the nFast services are restarted. To start those services requires the use of 2 operator cards in conjuction with passwords. The holders of the cards always seem to forget their passwords!I would like to move the Enterprise Root CA role, along with the current certificates to a new server, and retire this domain controller. I do not intend to use the nCipher stuff on the server I move the ER CA role too.I've read all the msft articles I could on how to move the role to another server - all are straight forward enough but none describe a twist quite like I am in; ER CA role on a Domain Controller with services protected by nFast.Hoping that someone in TechNet forum land has run into this and overcame it!ThanksGriff

Hi Griff,What type of HSM are you using? Are you using an nShield HSM connected via PCI?You can migrate your existing secuirty world and keys to a new server and install the CA using an existing key. Try the instructions at the following link (you'll need the section Certificate Migration Between Certificate Authorities).www.ncipher.com/Resources/~/media/Files/Integration%20Guides/Microsoft_CA_Windows_2003.ashxAs far as I am aware you can't export the CA certificate from the HSM to be imported onto another CA without the HSM. I think you can only migrate the security world, keys and card sets to a new server and use the nCipher CSP to access the keys, although I may be wrong on this.CheersChris

A couple of things here:1) An enterprise CA should be using Module protection, not OCS protection. You want an enterprise CA to start without having to have key holders present OCS cards before the certificate services start. You can use the %nfast_home%\bin\ROCS.exe command to change the key protection for that key set from OCS to module protection.2) You would be able to move the keys to a new computer, but the new computer must have the same domain name as the current DC/CA and the same domain membership. To move the CA, you will need to move the following data from the DC/CA:a) Backup of the CA databaseb) Backup of the windows\system32\certsrv\certenroll folder (cert and CRLs)c) Backup of the kmdata\local folder (all keys and security world info)d) Backup of the lmdata\config folder (how you connect to the HSM).e) Backup the HKLM\System\CCS\Services\CertSvc registry key3) You would move the HSM to the new box4) You would re-establish domain membership with the same name (the old box is now with Certificate Services removed, DCPromo to demote the comptuer, and removed from the network).5) You would re-establish connectivity to the CA (install ncipher software, restore config and local folders)6) Run the ncipher wizard to establish module protection (assuming you have used ROCS already to change protection to module protection).6) You would import the CA certificate into the local machine store7) You would use certutil -repairstore to tie the certificate back to the to the key pair8) Install certificate services using an existing certificate (now available)9) Restore the CA database.10) Restore the registry keyDONE