question

matteu31400 avatar image
0 Votes"
matteu31400 asked ·

migration csp to ksp

Hello,

I try to migrate CA 2008R2 from CSP to KSP but I have some difficulties...
1) migrate CSP to KSP on my 2008r2 server
2) Migration SHA1 -> SHA 2
3) Migrate to 2019 server

1) I can't migrate without 2012+ help server. I need to export the key , import it on 2012 to migrate from CSP to KSP and then export it again to import it on my 2008r2 with new KSP provider.

2) When I try to backup my 2008r2 CA with KSP provider, it doesn't work because key can't be exported. I don't understand why. I used Microsoft documentation for it.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn771627(v=ws.11)


Maybe my migration order is wrong and I need :
1) Migrate to 2019 server
2) migrate CSP to KSP on my 2008r2 server
3) Migration SHA1 -> SHA 2

Thanks for your help.

windows-server-security
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What is shown when you do:

 certutil -store my "<CA Serial Number>"

replace "<CA Serial Number>" with actual serial number of CA certificate.

0 Votes 0 ·

Hello @matteu31400,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·
matteu31400 avatar image
0 Votes"
matteu31400 answered ·

Hello,

I tested yesterday in my lab.
All work perfectly in this order :

Source : 2008R2 CSP SHA1
Destination : 2019 KSP SHA2

1) Migrate from 2008r2 to 2019
Backup CA + registry (certsvc\configuration)
Delete CA on source server
Install CA on destination server and use the cert p12 from the backup.
Modify the server name in the registry configuration (if server name is different) and import it on the new server

2) Migrate from csp to ksp
3) migrate from sha1 to sha2

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @matteu31400,
Thank you for your update and sharing. I am very glad that the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again.
Please accept your helpful reply as answer so that people can find the similar case with helpful answer quickly. Thanks again!

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @matteu31400,

Thank you for posting here.

As I understand, you have one-tier PKI, you want to do the changes below:

1) migrate CSP to KSP on my 2008r2 server
2) Migration SHA1 -> SHA 2
3) Migrate to 2019 server

Please check how many root CA certs do you have? Right click CA and select Properties and check General tab.

76061-ca1.png

Check if you can export the private key of these root CA certs?
75958-ca2.png


If you can not export the private key of the root CA certs, you will not do the migrations baove.


Then I suggest we can rebuild a new PKI on Windows server 2019 with KSP and SHA2.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou



ca1.png (31.9 KiB)
ca2.png (10.7 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered ·

Hello,

Thank you for your answer.
I just test it on lab.

I create 2008R2 VM with CSP provider and I don't know the good way to migrate it to KSP and then SHA2 and then 2019.

When I migrate to SHA2 I create new cert but I can't export private key cert because operation is not supported. (probably because KSP provider on 2008r2)

I will probably try to 1st migrate to 2019 and then KSP and SHA2 to see if the result is the same.
I have only "small customer" and I prefer to migrate one shot instead of side by side but I need to find a working way :)

Thanks

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @matteu31400,

Thank you for your update.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

0 Votes 0 ·