Hi
Our current Enterprise Root CA is on Windows 2012 R2, we are looking to get some KBs on migration of RCA to Windows 2019. Pls suggest
Thanks in advance
Hello,
Thank yo so much for posting here.
Here are some documents talking about AD CS migration. Hope they could be helpful to you.
Performing the Upgrade or Migration
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN
AD CS Migration: Migrating the Certification Authority
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @LMS-8913,
We are checking in to see if the provided information was helpful. If the reply is helpful, we would appreciate you to accept it as answer.
Please let us know if you would like further assistance. Thanks.
Best Regards,
Hannah Xiong
Hello @LMS-8913 ,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Sorry... we are going through the provided KBs... will update you
The Provided Blog "https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674" is a perfect one for reference. But we have a few concerns
Internally we issued certificates to all servers, PCs for different purposes, and through GPO most of these certificates are renewing automatically. Here we created and using Certificate templates (for LDAP, RDP, for SCCM etc). We believe once we migrated to 2019 CA, we have to recreate all these Certificate templates as mentioned with the blog, right?
All current certificate templates are issuing certificates with 2048 bits, as per new security standard we have to issue certificates with 4098 bits. So we will create new templates with 4098 bits. A lot of expired & unused certificates are there with CA and also once we create new templates with 4098 bits and re-issue certificates, then the expired / revoked certificates will be more, how can we do a cleanup with CA (either before migrating the CA or after the migration)
How can we achieve archival of all issued certificates' private keys? Is it a best security practice to do so? If we go with private key archival how can we apply more security to Enterprise CA? (we have only one Enterprise CA)
SSL 2.0, 3.0 & TLS 1.0 & 1.1 and weak ciphers RC4 128/128, RC4 40/128, RC4 56/128, RC4 64/128, Triple DES 168/168
are disabled. Is there any reference KB to harden Ciphers and Cipher suits specific to CA server?
Thanks in advance
Hello,
Thank you so much for your kindly reply.
1, We should record the assigned certificate templates before beginning the CA migration. The information is not automatically backed up as part of the CA database or configuration backup. Certificate templates and the association between enterprise CAs and certificate templates are stored in AD DS.
After the target CA is installed and the database and registry settings are restored, ensure that an enterprise CA is configured to issue certificates for all the templates for which the source CA was configured.
So we do not need to recreate all these certificate templates. We will need to reissue these certificate templates as mentioned in the provided blog.
2, To removing Expired Certificates from the CA Database, we could refer to:
As for the revoked certificate, according to the below link, there is no need to delete the revoked certificates.
3, Hope something here might be helpful.
Private Key Archival and Recovery
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cersod/5369f124-e32f-4d3c-bfa1-4768f338d04a
Understanding Key Archival
https://docs.microsoft.com/zh-tw/archive/blogs/pki/understanding-key-archival
4, As per my research, there is no reference KB to harden ciphers and cipher suits for CA server. I have found these documents, and we could have a check whether it helps.
https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks Hannah
We are referring the KBs...
What is the best practice on archiving private keys with Enterprise RCA? Is it a common practice?
Hello,
You are welcome. Thank you so much for your kindly reply.
AD CS key archival can be performed either manually or automatically. Manual key archival requires users to export private keys and send them to a CA Administrator who imports them to the protected CA database. Automatic key archival is performed during the certificate enrollment process when a certificate template is configured to require key archival. During the certificate enrollment process, the private key is securely sent to the CA as part of the certificate request and is archived by the CA.
For more information about the best practice, we could refer to:
https://revocent.com/best-practices-for-securing-private-keys/
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank You
We are documenting all and planning to do the migration in Jan... will update you
6 people are following this question.
