Hi guys, We have recently completed upgrading and migrating our Root CA from Windows 2000 to WIN2K8. The OS upgrade completed successfully and importing the Certificate database and registry entries were all completed successfully. The problem we are having at the moment is that we cannot contact the new Root CA (which is also a DC) and request a new certificate to test it is servicing requests properly. I didnt, however, create a new CRL for the new server. Will this cause a problem? Connecting to this server on Port 80 works and we can also ping the server so there is not network problem. When trying to connect to https://servername/certsrv it just times out. I have installed IIS and CA Web Enrollment but to no avail. Any help is appreciated If i have posted this is the wrong area, please advise which forum to post in Kind Regards,

Try connecting on 443 if you are using https instad of http. Also, IIS would need to have an SSL certificate installed already and the site bindings configured for 443 for https. You could also see if you could connect to http instead of https... You could also try opening the MMC snapin for Certification Authorities (certsrv.msc) and retarget it to your CA and see if it connects, or just log into the DC and open it up directly. If it does, you can check the issued certificates and filter for the certificate effective date being newer than when it was rebuilt, and also check your CRL. A new CRL was probably published when you installed, but it never hurts to double check. I'm not sure if you took into consideration having the same system name or not - that could be causing other issues, but for now I'll run with the hope that you did and that the CRL distribution points are still valid. From a box newer than XP, you can also try from cmd: "certutil" - copy the value of config. "certutil -ping -config %ConfigValue%" and "certutil -pingadmin -config %ConfigValue%" should validate that all is well with the CA interface.

Hi Steve, thanks for the reply. I have figured out why we were not able to connect to the CA via Web. Directory Browsing was not enabled in IIS and after enabling, it worked. One other thing i would like to check is that when i look at the properties of the certificate that was migrated over and select the Extensions tab, then View Certificate. Next i click on CRLDistribution points and notice that the path on the certificate is still pointing to the old CA. How do i update these entries? If the old path is http://servername/CertEnroll/CertName.crl, can i add a new path but replace the old server name with the new one? There are two paths and both point to the original CA. I would like to create another two and have them point to the new CA. Also, is it necessary to retain the CRLDistributionPoint with the old server name for existing certificates? BTW, only the server name has changed on the new CA. It still uses the original CA name.

You will need to maintain a copy of the CRL from the old CA until the last issued certificate expires or all the certificate have been reissued under the new CA. To update for the new CA, open the properties of CAName (the name of your CA) - Extensions tab - then select the CRL Distribution Points from the dropdown (probably the default) and update to what you want the new CDP value(s) to be. You should also look at the Authority Information Access (AIA) to see if that needs updating also. If the old server has been decommissioned, you can also create a DNS alias to point to the new CDP in order to support legacy certificates that are still in use. If your CRL was not signed for a validity period matching the expiration of the CA certificate, then you will need to maintain creating new CRLs. If you migrated the private key of the CA over from the old CA then the new CRLs should be fine to use for both locations. If not, then let me know and we can talk about ways to maintain the legacy CRL if you still have access to that private key.

I'm wondering if everything got moved over then - usually the CDP & AIA should be populated or else your clients would all be complaining about not getting a CRL. You could grab the relevant part of the registry export and import that. When you look at the exported version, it may not be in human readable form. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\(CAName) AIA: Multi-String CACertPublicationURLs CDP: Multi-String CRLPublicationURLs If you see numbers like 1:(value), etc. - the number is the value of the flags that are set, not an order of appearance, etc. Don't worry about what boxes are enabled for this part - it is easier to just import them and then adjust the checkboxes in the GUI. In many cases you don't need to use an LDAP CDP. Unless you know that you have a specific need for one, then I don't know if I'd worry about it. It can be useful to have a CDP that works externally - usually this would just be an http link - if you need LDAP for external validation for some reason then I'd suggest reading up on AD LDS (used to be called AD/AM) so you don't have to expose your real AD. Another cool new thing is OCSP.

If i click on the Extensions Tab and check the distribution points, there are only the templates and one that points to C:\Windows\System32 If i add the new distribution points, such as, url://http:\\newservername\CertSrv\CertEnroll\<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl, is this enough for the new CRL? should i also create an LDAP entry? Just to let you know, there is no entry in Extensions for the previous CA server for either CDP or AIA. Is this normal? I apologise for all of the questions as this is my first CA migration and i want to ensure i have everything setup and working correctly in the Test Lab before completing in Production Regards

Hmm... what do you mean by "templates" ... those could be the correct settings... such as <CAName> and <CRLNameSuffix>, etc.? These are using the variables - this is a good thing in most cases, especially when you renew your certificate and it wants to add a (1), (2), etc. at the end of the name it just does that automagically.

Ok, i think i am just confusing myself here then. After reading the migration guide, it says to update CRL Distro Point and AIA extensions. I complete this, including the registry changes and the details all reflect the new setup. It is only the original certificate that contains the old CRL points and i guess that makes sense since it was issued using that information. If i renew the certificate in the new setup however, the same old CRL points are in the details of the cert. Is this normal? How do i get a new certificate with the new details? Just to recap what i have done so far. upgraded OS from WIN2K to WIN2K3 Backed Up CA database and registry settings upgraded OS from WIN2K3 to WIN2K8 Installed CA w/ Web Enrollment on WIN2K8 server Restored the database and registry settings Updated registry to reflect new locations Verified CDP and AIA ACL's using ADSI edit Updated the CRL Distribution and Revokation lists If there is anything that i have missed can you please let me know.