question

NamlessShelter-6097 avatar image
0 Votes"
NamlessShelter-6097 asked NamlessShelter-6097 commented

Certificate Authority (Root CA) Server Migration from 2012 to 2019

Hi there,

Please help with this.

Basically, we are running CA service (only CA server running ROOT CA Enterprise) on a server 2012 box. Now we need to move CA to 2019 BOX. I had a look in this article: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Got Four simple questions:

  1. With the new Server 2019, do we need to have the same name with old 2012 server "CS01"? or Any Name will do.

  2. In the last step mentioned from the link above, after restored the old CA, it mentioned "Right click on Certificate Templates Folder > New > Certificate Template to Reissue", what exactly does this do? What if I ignore it?

  3. We are running Aruba Clearpass Wifi Radius System, all of our Windows and Mac machines are using this CA for 802.1x authentication, if the old CA server is taken off for that moment, all devices will not be able to authenticate with Wifi?

  4. On AD, the Old CA server will be taken off, and new CA server will be added automatically to "Cert Publisher" group?

Thanks a lot,
ML




windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered NamlessShelter-6097 commented

If you don't remove the CDP entry, i think it should not cause issues.

The certificates 0 and 1 ae the CA Certificates. Both certificates has to stay there because the CA will publish a CRL for each certificate. Only when the CA certificate will be expired you will be able to remove it.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Cool I might leave CDP there for a bit while just case.

So Enterprise Root CA has two certificates #0 and #1. So, Root CA will expire with the second certificate CA on 2041, not 2032?

If I move Root CA to a different server 2019 box, CDP entries will be updated automatically?

My last questions: if for some reasons, the CA migration failed, can I urgently roll back the VMware guests for servers: CA01, AD01 and AD02 (Two AD for load balancing)?

Thanks
ML

0 Votes 0 ·

Speaking of Migrating Root CA to a new host, in our testing environment VMware, I just did a in-place upgrade on CA01 (Server 2012 box with only CA role) to Server 2016 successfully...should I stick with in-place upgrade if that is the case? How can I check to make sure all working ok? Also, would Snapshot the CA01 server work once found some staff is broken?

Thanks

0 Votes 0 ·
cthivierge avatar image cthivierge NamlessShelter-6097 ·

Snapshot of a server that has a database is always tricky.

If you stop the certificate authority service or stop the vm, then it should work

https://social.technet.microsoft.com/Forums/windowsserver/en-US/d9bfc8de-0703-4d12-8c55-ddb45fc2d1ce/using-snapshots-of-certificate-authority-ca-for-roll-back?forum=winserversecurity

You said that you haven't remove the ADCS role on the old CA server, am i right?
If so, the enrollment service still have the old server entry and this may cause issues because when a user will request certificate, it may try to reach the old offline CA. This is why we must uninstall the ADCS role during a migration process

0 Votes 0 ·

Cool I will power off the server, capture the snapshot.

About this: "You said that you haven't remove the ADCS role on the old CA server, am i right?
If so, the enrollment service still have the old server entry and this may cause issues because when a user will request certificate, it may try to reach the old offline CA. This is why we must uninstall the ADCS role during a migration process"

No, what I meant is that I did a In-Place upgrade: running a Windows installer 2016 directly on CA01 server (Win server 2012), and finished the upgrade process on the same box. CA server name is still CA01. Is this totally a OK thing to do? Any potential issues?

Also, If I migrate Root CA properly to a different server 2019 box, CDP entries will be updated automatically after I import the backup files and reg etc?

Thanks
ML

0 Votes 0 ·

Also, how can I make sure the current CA is working properly?

Thanks
ML

0 Votes 0 ·
Show more comments

Any updates mate?

Thanks

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered NamlessShelter-6097 edited

If i remember, when you uninstall the ADCS role, it will remove the CA Server from the Enrollment services. This will prevent a user or a computer to request a certificate from a Certificate Authority that does not exist anymore.

In your case, because it's a migration and not a complete CA decommission, I think only the CDP has to be removed...

From the document: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

Step 6:
crlDistributionPoint object

Located in CN=ServerName,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRoot,DC=com.
Contains the CRL periodically published by the CA.
Published CRL Distribution Point (CDP) location.

In your case, you should see 2 CDP. The old CA Server and the new CA Server. Only delete the old CA Server from the CDP


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No worries, I can see two CA servers CA01 and Ex02 are under Public Key Services -> CA and Enrolment Services.

so I have to delete entry of the old Mail server EX02? I do not know why this server had been added as CA......

The actual Ex02 server has been powered off for a long time ago...So you saying if I do not delete this entry ex02, it can cause some further problems when migrating the current Root CA01 to a different Server 2019 box?

Also, I noticed on the actual CA01 server, Certificate Authority, right click the domainname, and under general Tab, there are two CA certificates : #0 and #1. #0 will expire on 2032 #1 will expire on 2041, they are all having different serial numbers..they are all issued to domainname-ca01-CA. Does it mean CA01 server has two Root CA certificates?

Thanks
ML



0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered NamlessShelter-6097 edited
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

what would happen if we leave the OLD CA ex02? and Only move Root CA CA01 to CA02?

Thanks
ML

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered NamlessShelter-6097 commented

The CDP / AIA location is where the CRT / CRL are published. By default, an Enterprise CA will published into AD. But you ma have change this value.

You can see this value if you open a certificate that has been issued by your CA.

Look for the 2 settings "Authority Information Access" and "CRL Distribution Point". You should have the location of those files.

On the CA, those settings are registry values under that registry key
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration[CA Name]"
CACertPublicationURLs
CRLPublicationURLs

As i said, if it's published at the default location (AD), you should be good. Just check that the CRL is valid for long enough to complete the migration.

hth

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Hth,

One more thing, after I did certutil to check CA server on our Domain Controller, I noticed there are actually two CA server entries:

Entry 00 (which is the correct one):

CA01.domainname.local

Entry 01:

EX02.domainname.local

Ex02 is actually our old Email Server and already powered off.

Do we need to do anything about it? Is it find to leave it for good?

Thanks
ML

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered NamlessShelter-6097 commented

  1. It's not mandatory to have the same server name. You just need to change a registry value before importing the registry key

  2. If the templates are not published after the migration, you have to published them

  3. Well... it depends on few things
    • Your certificate authority is only issuing certificate to clients that are requesting one. Clients with a valid certificate will be able to authenticate

    • You may have a Radius Server in your environment and it's this server that will perform the authentication with AD Servers

    • Does the CDP / AIA published location is accessible to everyone if the server is offline?

    • I don't remember if the new server will be added automatically to the Cert Publisher Group. If it's not added automatically, just add it manually and restart the new
      RootCA Server after.

Follow this documents for the migration steps... even if it's 2012, it's the same process
ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v%3Dws.11)

hth

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi mate,

Thanks a lot,

Seems migration of CA is so simple. Maybe I worry much about Outage. You are correct, Radius Server is actually Aruba Clearpass. It checks authentication with AD. Devices should already have Root CA loaded. Just Last time, I remembered when the Root CA expired for my client windows policy server environment, have to reload CA for all devices...Nightmare....

"Does the CDP / AIA published location is accessible to everyone if the server is offline?" What does this mean?

TA
ML

0 Votes 0 ·
NamlessShelter-6097 avatar image
0 Votes"
NamlessShelter-6097 answered

Any Updates people?

Thanks
ML

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered NamlessShelter-6097 commented

Hello @NamlessShelter-6097

the answer for the first question is:

Service migration from 2008 R2 to 2019 but required the new Windows Server 2019 server to have the same name as the previous 2008 R2 server

Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi there,

So if upgrade CA from server 2012 to 2019, we wouldn't need to have a the same Server name?

Thanks
Mang

0 Votes 0 ·