Migrating Windows Certificate Authority Server from Windows 2003 Standard to windows 2008 Enterprise Server

Sahip olduğunuz active directory yapınızı 2003 sürümünden 2008
sürümüne yükseltmek için yapmanız gereken adımları anlatan pek çok video
ve makale paylaşımında bulundum. Bu yazımda ise mevcut sisteminizde
Certificate Authority bulunması durumunda geçiş sonrası bu servisin hala
başarılı bir şekilde çalışıyor olmasını nasıl sağlayacağınızı anlatmaya
çalışacağım.

Öncelikli olarak anlatacaklarımın aşağıdaki
kaynaktan alıntı yapıldığını söylemek istiyorum, yani isterseniz direk
bu dökümanı inceleyebilirsiniz

Active Directory Certificate Services Upgrade and Migration Guidance

Yine bu konuda faydalı bir linki sizinle paylaşıyorum

http://technet.microsoft.com/en-us/library/ee126170%28WS.10%29.aspx

Ben ise size tüm bu dökümandan can alıcı olan özellikleri çıkaracağım.

Elinizde bir 2003 dc ve üzerinde CA var ise, bunu 2008 ortamına taşımak için yapmanız gereken adımlar aşağıdakiler olacaktır ;

Moving Certificate Server in Simple Steps

1. Perform System State backup on Source CA Server
2. Backup CA from CA Console
3. Backup CA registry Configuration
4. Uninstall CA from the Source Server using Add remove programs
5. Install the CA as Role on the target Windows 2008 computer using existing certificate key
6. Restore the CA database on the target CA
7. Import the CA Registry configuration on the target CA
8. Complete post-migration tasks

Perform  System State backup on Source CA

1. Log in to Source server and Take System State backup using Ntbackup to C:\CertBackup

Backup CA from CA Console

1. Open the Certification Authority snap-in
2. Right-click the node with the CA name, point to All Tasks, and then click Back Up CA.
3. On
   the Welcome page of the CA Backup wizard, click Next. On the Items
   to Back Up page, select the Private key and CA certificate and
   Certificate database and certificate database log check boxes,
   enter the backup location, and then click Next

4. On the Select a Password page, enter a password to protect the CA private key and click Next.

5. On Completing the Backup Wizard page, click Finish.

6. This will create Files in C:\Certbackup

• cozumpark.com.p12

• Database

Backup CA registery Configuration

1.   Click Start, point to Run, and type regedit to open the Registry Editor.

2.   In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.

3.  
Enter a location and file name, and then click Save. This creates a
.reg file with the registry configuration information for your CA.

UnInstall CA from the Server using Add remove programs

1.
Go To Add remove programs -> Add remove Windows components ->
click on Certificate Services and uncheck on Certificate Services CA and
Certificate Services Web Enrollment Support

 

Install the CA as Role on the target computer using exisintg certificate key

1. Install New Widows 2008 Enterprise Edition Sever
2. Open Server Manager and Add New Role
3. Select Active Directory Certificate Services
4. Select Certificate Authority and Next
5. Select Enterprise CA  and Next
6. Use Existing Private Key as show below and select selct a certificate and user its associated private key and Next

 

7. Click on Browse buttong to Search folder containing certificate and private key which you exported from Source computer

8. Enter the password which was used to export

9. Next , Next and click on Install

Restore the CA database on the target CA

1. Open the Certification Authority snap-in.
2. Right-click
   the node with the CA name, point to All Tasks, and then click
   Restore CA. Click OK to confirm stopping the CA service.
3. In the CA Restore wizard, on the Welcome page, click Next.
4. On
   the Items to Restore page, select Certificate database and
   certificate database log. Click Browse, and navigate to the
   location of the Database folder that contains the CA database
   export files created when you previously exported the CA database.
5. Enter the password you used to export the CA database from the source CA, if a password is requested.
6. Click Finish, and then click Yes to confirm restarting the CA.

Import the CA Registery configuration on the target CA.

1. Double
   click on registery file which you exported from the source server
   to import the same into the server and Yes to confirm the same

Complete post-migration tasks

Updating CRL Distribution Point and Authority Information Access Extensions

1. Loging to Windows 2008 New CA Server
2. Open Certificate MMC
3. Right click on the CA and click on Extenstion and click on ADD and add the below line by changing SourceServername.

ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=SourceServername,CN=CDP,CN=Public
Key
Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

 

4. Check Publish CRLs to this location

5. Publish Delta CRLs to this location

6. Apply and OK

7. Verify the CA can publish CRLs to the new location.

8. Open the Certification Authority snap-in.

9. Right-click Revoked Certificates, point to All Tasks, and click Publish.

10. Click either New CRL or Delta CRL only, and click OK.

To verify ACLs on the AIA and CDP containers

1. Loging to DC and open Active Direcotry Sites in Services
2. On the Console click on Top Node
3. Click View and Show Services node
4. you will find Services folder on the Left and expand to reach Public key Services as shown below

5. Expand Public Key Services

6. click AIA folder and In the details pane, select the name of the source CA.

7.  On the Action menu, click Properties.

8.  Click the Security tab, and then click Add.

9.  Click Object Types, click Computers, and then click OK.

10. Type the host name of the target CA, and click OK.

11. In the Allow column, select Full Control, and click OK.

12. In the left pane, select CDP and the host name of the source CA.

13. In the details pane, select the first CRL object.

14. On the Action menu, click Properties, and then click the Security tab.

15. In the list of permitted group or user names, select the name of the source CA, click Remove, and then click Add.

16. Click Object Types, select Computers, and then click OK.

17. Type the host name of the target CA, and click OK.

18. In the Allow column, select Full Control, and then click OK.

19.     In the details pane, select the next CRL object, and repeat steps 14 through 18 until you have reached the last object.

Verifying ReGistery

1.
Verify that CAServerName is a registry string value located under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\
registry key. It should be updated to represent the DNS or the host of
the new CA host.

2. Verify that CACertPublicationURLs and
CRLPublicationURLs are both registry multi-string values located under
the same key as CAServerName.

3.  Check the remaining registry
values under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc registry
key, with emphasis on any values that have been customized to ensure
that they are free of data containing the old CA host name or other
invalid CA settings. For example:

• Configuration\ConfigurationDirectory
• Configuration\CAName\CACertFilename

 Evet bit hayli uzun ama yaptığımız işin çapını düşünürsek son derece önemli bir iş.