question

OmoOba avatar image
0 Votes"
OmoOba asked DaisyZhou-MSFT commented

Migrating 2012R2 CA to 2019

I am migrating 2012R2 CA to 2019. I use the option to use an existing key. However, the new CA is asking me to send a certificate request to the root CA. I will like to reuse the old cert without issuing a new one. The private key is store on an HSM and I can find the cert and key.

87348-1.jpg


87375-3.jpg87349-2.jpg


windows-server-security
1.jpg (49.0 KiB)
3.jpg (39.4 KiB)
2.jpg (44.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @OmoOba,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @OmoOba,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
Crypt32 avatar image
0 Votes"
Crypt32 answered

It doesn't matter where the key is stored. Private key alone is not sufficient to migrate CA, you need to have a certificate as well. Make sure if certificate is installed in Local Machine\Personal store (certlm.msc), then make sure that private key is associated with certificate. You can force key association using certutil:

 certutil -csp "SafeNet Key Storage Provider" -repairstore my "<CertSerialNumber>"

where <CertSerialNumber> is the cert's serial number. If the command succeeds, then you will see a key icon on top of certificate icon in certificate manager.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered

You selected wrong option on a first image. It selects only private key without certificate and installer needs to get a certificate through request. You need to select "Select a certificate and use its associated private key" instead.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @OmoOba,

Thank you for posting here.

With this being a migration, select Use existing private key and Select a certificate and use its associated private key and click next to continue.

87460-ex1.png

For more information about CA migration, we can refer to the link below.

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


ex1.png (205.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OmoOba avatar image
0 Votes"
OmoOba answered

Even if the private key is stored on HSM?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.