0

enter image description hereI need to migrate our Certificate Services from one server to a new one.

I am following a guide and there is the stage where you backup the old CA. How do you test that backup? I want to be able to check that backup is going to work before uninstalling the CA on the old server.

UPDATE:

In the screen shot below I have tested restoring to a test VM, the distinguished name when importing the certificate shows the name of the existing server while the destination server is different.

RLBChrisBriant
  • 595
  • 1
  • 7
  • 22
  • 2
    Backups are tested by restoring them in temporary environment. This is the only way you can test them. – Crypt32 Feb 25 '20 at 11:02
  • Thanks, I created a virtual machine that is disconnected from the domain and ran a restore. I can see that it has managed to restore the private key as well as the certificate database, but there are limitations due to it not being on the COMPANY domain. Also the guide says that the new certificate server has to have the same name, why can't it be a different server name? – RLBChrisBriant Feb 25 '20 at 14:47
  • For several internal purposes, CA keeps the host name in its config. This is why you need to restore CA backup to a host with same name. It can be restored to a host with different name, but it is kind of migration and requires extra steps to make things working normally. – Crypt32 Feb 25 '20 at 15:06
  • Okay, it might be easier then to just keep the same name. Do you have a link to the steps required if changing the server name? – RLBChrisBriant Feb 25 '20 at 15:15
  • If keys and database were restored normally, then backup was ok. Keep in mind that CA config shall be a part of backup set along with keys and DB. Here is a link to migration guide: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v%3Dws.11) – Crypt32 Feb 25 '20 at 15:17
  • Okay, I have removed and reinstalled on the VM, the distinguished name in the summery shows the name of the old CA server, but the destination name is a different host name. Is that sufficient to fulfill the requirement of having the same name? I thought that I had to uninstall the old CA, shut down that server, rename the new server, wait for DNS to replicate and then restore. – RLBChrisBriant Feb 25 '20 at 16:25
  • Distinguished name is automatically set from PFX certificate used during CA restore from backup. Host names should match as well. – Crypt32 Feb 25 '20 at 16:50
  • Okay thanks, I will change the server host name. – RLBChrisBriant Feb 25 '20 at 16:52
  • The old CA currently has web enrollment installed. I don't think we use this anymore and the guy who set it up originally is no longer with the business, do you know how I can check to find out exactly? – RLBChrisBriant Feb 26 '20 at 10:24
  • What you want to find? And this question is beyond the scope of this thread. Please, try to ask more specific questions, because this board is not discussion-oriented format. – Crypt32 Feb 26 '20 at 10:25
  • Hi, Thanks, I'll do some more investigation from my end and discuss with my colleague. The server has web enrollment configured and I was just wondering if there is a specific way to list clients which are enrolling using specifically that method. – RLBChrisBriant Feb 26 '20 at 11:22

0 Answers0