We are about to upgrade our existing Windows 2003 Enterprise CA server to Windows 2008 using in-place upgrade. I have a couple questions: - Are there any complications I should know about? - Will this invalidate existing certificates issued by this CA? - I currently have scripts for imaging new machines that use the command-line certutil.exe and certreq.exe tools for generating and requesting client certificates. Do these tools have the same functionality on Server 2008? At the same time, we're looking at reducing the root CA's validity time from 10 years to 7. I read that when reducing the time, a new key must be generated. Does this invalidate existing trusted root certificates or will they continue to be valid until they expire? Thanks in advance.

This whitepaper explains it, and gives detailed information on going from 2003 -> 2008 CA with a host name change. The hostname can change, but the CA name must remain the sameActive Directory Certificate Services Upgrade and Migration GuideHopefully this whitepaper will also answer your questions ;). Certifications: MCSA 2003 MCSE 2003

Thanks for the whitepaper regarding 2003 -> 2008 upgrade. We're planning to keep the same host name, CA name, etc. We just want to upgrade the OS and I wanted to make sure everything already in place would stay the same. Do you know about my other question? If I shorten the lifespan of the Root CA cert, will I have to generate a new key and therefore old keys become invalid or will they stay valid until they expire? Thanks.

What you are trying to is not possible (or not supported by Microsoft). You have two possible scenarios (stated in the whitepaper I referred to before): Option A: Migrate the CA to a New Host The first option is to migrate the CA component to another computer and to keep the domain controller component in place on the original host. Because the original computer will stay on the network, the CA must be moved to a server with a different host name. Option B: Keep the CA on the Original Host and Move the Domain Controller The second option is to keep the CA in place on the original host and move the domain controller role to another host. Certifications: MCSA 2003 MCSE 2003

I don't think those scenarios apply because the machine hosting the CA is not a DC. It is a standalone Root CA. In this case, I should be able to simply perform an in-place upgrade on the OS, correct?

I don't think It wil be so easy, because the Windows Server 2008 certificate part has changed quite a lot. I will need to research it, I will come back as soon as I have found the answer. Certifications: MCSA 2003 MCSE 2003

Well, I backed up the old server (it was a VM) and then did an in-place upgrade on it. After the upgrade, it came up with the following errors on AD Cert Services, but keep in mind that I have not turned on the virtual NIC yet, so these could all be caused by no network connectivity: EventID 66 Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=<CAname>,CN=<CAname>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Domain>,DC=local. The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58). EventID 65 Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: ldap:///CN=<CAname>,CN=<CAname>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Domain>,DC=local. The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58). EventID 44 The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355). The Active Directory containing the Certification Authority could not be contacted. EventID 91 The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355). The Active Directory containing the Certification Authority could not be contacted.

1) You have errors in the configuration of the offline CA. You have configured either the 1 or 64 flag for the CDP extension, and the CA is trying to write to AD. This is impossible for a properly configured offline root CA as it is neither a member of the forest or is it ever connected to the network to allow writing. It looks also like your offline root CA is potentially an enterprise CA rather than a standalone CA, requiring it to contact AD. I would review your PKI design before proceeding as it seems flawed.Brian

I might be explaining myself wrong. Our CA is not an "offline" CA. This is an Enterprise CA, but it does not reside on a server that is also a Domain Controller. The server hosting this CA is both a domain member and on the LAN. It does write to AD. The instructions provided by shadowman123 were referring to a server that is both an Enterprise CA AND a domain controller. This server is ONLY an Enterprise CA. Sorry for the confusing wording...

You may have computer account issues.Do you receive any errors when you run nltest /sc_verify:domain.comIf you deleted the computer account, or still had the previous CA on the network before upgrading, the computer account could become hosed.Brian

I may have mis-communicated one other thing, Brian, and thank you for your assistance. I have intentionally left this machine disconnected from the network for the time being. I want to make sure there are no issues unrelated to network connectivity before I replace the old running VM with this one. Do you see any thing in the 4 errors I mentioned that point to anything unrelated to having the network card disabled? Thanks

They are all due to no network connectivity.EventID 66Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=<CAname>,CN=<CAname>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Domain>,DC=local. The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58).Cannot write a delta CRL to the AD due to disconnected stateEventID 65Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: ldap:///CN=<CAname>,CN=<CAname>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<Domain>,DC=local. The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58).Cannot write a baseCRL to the AD due to disconnected stateEventID 44The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355). The Active Directory containing the Certification Authority could not be contacted.Cannot read the AD configuration for the CA due to disconnected stateEventID 91The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355). The Active Directory containing the Certification Authority could not be contacted.Cannot read the AD configuration for the CA due to disconnected stateBrian