question

LRL-0577 avatar image
0 Votes"
LRL-0577 asked DaisyZhou-MSFT commented

Certificate Server Name change

Our company's issuing certificate server is a Windows Server 2008 R2 and we would like to transfer the service to a new Windows Server 2016 Standard server.
The new Win2016 server will have a different hostname.

My questions are:
1. What considerations will I need to keep in mind now that the service is running on a new server and hostname?
2. How will the previously issued certificates be handled as the CRL Distribution Points and the Authority Information Access information entries point to the old hostname?
3. Do I need to rename the new server to match the previous hostname?

I planned to follow the instructions on https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674, which recommends using the same name.

Your thoughts?
Thanks




windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @LRL-0577,

Thank you for posting here.
Based on the description above, I understand you have one-tier CA, domain-joined Enterprise CA server.

Here are the answers for your references.

Q1. What considerations will I need to keep in mind now that the service is running on a new server and hostname?

A1: Considerations for migrating a CA to a new machine:

  1. When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

  2. By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

  3. During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.


Q2. How will the previously issued certificates be handled as the CRL Distribution Points and the Authority Information Access information entries point to the old hostname?

A2: By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

Q3. Do I need to rename the new server to match the previous hostname?

A3: When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.


Q4. which recommends using the same name.
A4: Baesd on my experience, if we migrate CA to a new machine with the same hostname.

First we need to backup all CA information mentioned in the link you provided.
Then remove the old 2008 R2 CA machine from the domain, then add new 2016 server to domain and restore CA information to new 2016 machine.

Because there cannot be more than one machines with the same computer name in the same domain.


References
AD CS Migration: Migrating the Certification Authority
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

Performing the Upgrade or Migration
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LRL-0577 avatar image
0 Votes"
LRL-0577 answered DaisyZhou-MSFT commented

Thanks for the explanations and reference links.

This information will help.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @LRL-0577,
Thank you for your update and accepting my reply as answer. I am very glad that the information is helpful.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou

0 Votes 0 ·
LRL-0577 avatar image
0 Votes"
LRL-0577 answered DaisyZhou-MSFT commented

Hello Daisy
One follow up question. Do the migration instructions you provided also apply to an Issuing CA in a two-tier configuration?
Are there any additional considerations?
Thanks again

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @LRL-0577,

Do the migration instructions you provided also apply to an Issuing CA in a two-tier configuration?
Yes, I think so.

Are there any additional considerations?
As far as I know, these should be OK.

Tip: Please test the process of migrating CA in a test environment. If you encounter a problem in migrating CA in a production environment, you can better solve the problem.


Best Regards,
Daisy Zhou

0 Votes 0 ·