Migrate your certification authority root CA to Windows 2012 R2
This blog post is all about how to migrate your certification authority root CA to Windows 2012 R2. If you have a proper Public Key Infrastructure implementation in place, then most likely you would know how to design a PKI hierarchy and how to implement a PKI recovery plan. Having an offline root certification authority is a good practice and provides the root of trust for your PKI hierarchy.
I remember back then when I blogged about installing offline root CA on Server 2003, and I thought it is a good idea to talk about migrating to a new operating system.
In this blog post, we will go through the migrate your certification authority root CA to Windows 2012 R2 story, and we will talk about each aspect of this migration. We will go through why would you go through such migration and how.
Chances that you have an offline root CA that you installed years back, and you bring it up every while to publish a CRL or something. Offline root CA is the first certification authority that you have installed in your PKI hierarchy, and everything else depends on it.
You might be lazy bringing it up every while to publish a CRL, and I am sure you feel the same if you want to upgrade it to Windows Server 2012 R2.
Some people are afraid to touch their offline root CA, because they do not want to risk of affecting the health of their PKI structure, or perhaps because they do not have the knowledge to understand how to migrate to a newer O.S version, and what will happen if things went bad for them.
I will try to share with you my thoughts on why, how and when you should upgrade or migrate your offline root CA to a newer operating system like Windows 2012 R2 in this case. Keep reading to learn how to migrate your certification authority root CA to Windows 2012 R2.
Why to migrate to newer version?
Someone might ask “why to migrate your certification authority root CA to Windows 2012 R2?“. He might have a point. Why to migrate if everything is working just fine for years.
I love to have all my systems running the latest bits. I cannot stand to have legacy operating systems around. But, that’s only me.
When it comes to why you should upgrade the operating system in general, it comes to security, functionality and support life time.
If you are running your system on a very old operating system, chances are that operating system is out of support, and no patches are released to protect your system from known vulnerabilities. It is always better from security perspective to run your system on the latest operating system to get better support and security patches.
In terms of functionality, the certification authority service is a role inside Windows Server. Updating or migrating to newer operating system, means that you will get new features for your certification authority. For a root CA, you might not need that much features, but I am just pointing that migrating to a newer operating system, means newer certification authority role and service, and more functionalities, auditing features, and security enhancements.
One of the most important reasons to upgrade or migrate to newer operating system, is the ability to support newer hash algorithms and new cryptographic operations. As you already know, SHA-1 is not a welcomed hashing algorithm anymore, as attackers could create collisions and break its security strength. Collisions is when two different input bits produce the same hash outcome.
What items need to be migrated
When you are thinking of steps to migrate your certification authority root CA to Windows 2012 R2, you might think “what items or things need to be migrated from the old server to the new one?”
To answer this question, let us break down the components and information that a certification authority consists of:
- At the heart of any certification authority service is the CA private key. This key is used to sign the CRL files, and to sign issued certificates.
- Second item is information about issued certificates and revoked one, along with any certificate signing request. This information is held in the certification authority database.
- Finally, any certification authority has set of configurations, like the frequency of issuing a CRL. Those settings are stored inside the Windows registry under this path [ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc ].
So if we could take the private key, the CA database and export that registry path, and move it to the new server, then our mission is accomplished.
Certificate templates are stored in Active Directory under the configuration partition, so no need to worry about them.
How to migrate to the newer O.S version?
I want to give you some Highlights on how to migrate your certification authority root CA to Windows 2012 R2. The procedure is simple and clear.
You have your existing root CA server running a legacy operating system. It is a good practice to do a full backup for the root CA private key, database and its configuration located inside the registry.
Now, you must bring a new machine, install Windows 2012 R2 server bits on it, and add the Active Directory Certificate Service role on it, like you are deploying a new root CA server.
During the configuration wizard of the new root CA server, you will choose to use an existing private key, the one your backed up from your existing root CA server.
After completing the installation of the new root CA server, you will restore the root CA database and import the exported configuration registry keys. That’s it.
The procedure is very easy, does not require that knowledge in PKI and cryptography, and can be done in 15 minutes.
What if something went wrong?
When you plan to migrate your certification authority root CA to Windows 2012 R2, you might ask you self “what if the migration did not work, and something bad just happened?”.
Since the existing offline root CA and the new one are not connected to the network, there is now effect on your live environment on anyway. You can just follow the steps just to try how things are working for you, and then decide to stick with your current root CA. If you are comfortable with your new root CA, you can then stick with it, and destroy the legacy root CA machine.
Migrate your certification authority root CA to Windows 2012 R2
What are the steps to do the actual migration?
To remind you how to migrate your certification authority root CA to Windows 2012 R2, there are four main steps required:
- Backup the old root CA [certificate authority DB, private key, and the CertSvc registry key].
- Install Active Directory Certificate Services on a new Windows 2012 R2.
- Restore the certificate authority DB, private key, and the CertSvc registry key on the Windows 2012 R2 server.
- Perhaps decommission or destroy the old root CA.
Backup the old root CA
If you have a PKI recovery plan and you and you have an SLA for certificate authority, then you have an idea of how to back up a certification authority. Assuming you do now know how to do that, I will go through the steps to perform a backup for the old root CA. Let us start performing a full backup of the old CA server:
- Log on to your root CA, open the Certificate Authority console.
- Right click the CA name and go to All Tasks > Back up CA..
- On the Items to Backup Up, choose Private key and CA Certificate and Certificate database and certificate database log. Choose a backup directory like C:\.
- In the Select a Password page,Enter a strong password. This password is used to protect the private key. Click Next and you are done.
- You have now successfully exported the CA private key and database. Let us move on and export the CA configurations from the registry.
- Open the registry editor and Export the following registry: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc.
- It is also a good idea to backup the CAPolicy.inf file located at C:\Windows directory if it exist.
- Finally, make sure you document the state of the old Root CA, like:
- Server Name.
- Drives layout.
- Location of the folders where the CA database and logs are stored.
- I also recommend taking Full Server Backup and System State Backup to the old root CA server just in case. System State backup is the best bit for restoring a CA server.
Tip: if you are into typing extra commands to feel in control, you can use the following commands to export the configuration of the old root CA.
<strong>certutil –getreg > C:\oldCA_config.txt</strong>
Setup the new root CA on a Windows 2012 R2 server
To migrate your certification authority root CA to Windows 2012 R2, you have know performed a full backup of your legacy root CA server. It is time now to prepare the new Windows 2012 R2 server that will host the new root CA role.
To do that, Install Windows 2012 R2 on a new server with same name and drives layout as the old root CA server, and make sure it is fully patched from the internet.
Follow the below steps afterwords:
- If in the old root CA, you are storing the CA database at C:\DB and the CA logs at C:\Logs, then make sure to create these folders in advance on the new Windows 2012 R2 server.
- Copy the backup files from the old root CA server to the desktop of the new server.
- It is recommended that drives match. So if you have C and D drives in the old root CA, make sure you have the same drives on the new Windows 2012 R2 server.
- On the new server, go to Server Manager and Click Add roles and features.
- Click Active Directory Certificate Services from the Select server roles page.
- Since this is Root CA, only pick the Certificate Authority role service. Complete the wizard till the end.
- Go to Server Manager again, click the flag icon that has a warning sign on it, and choose to Configure Active Directory Certificate Services... .
- In the Role Services > Select Role Services to configure, select Certification Authority for services to configure.
- In the Setup Type > Specify the setup type of the CA, select Standalone CA.
In the Private Key > Specify the type of the private key, select Use existing Private Key. If you have imported the old root CA private key from the backup set to the new server’s computer personal certificate store, select the first option, else select the second one [Select an existing private key in this computer]
- In this step, you have to choose the old root CA private key file that you have from your backup.
- In the Certificate Database location page, make sure to choose the same location the old Root CA has. Pre-create folders if you are using custom locations.
- Now you have reached the end of the configuration wizard and the only thing we restored so far is the private key. Move on and open the Active Directory Certificate Services console.
- In the Certification Authority Console. Right click the CA name, and choose All Tasks > Restore CA.
- In the Items to Restore page, choose only Certificate database and certificate database log. No need to choose Private key and CA certificate as this was restored during the installation.
Note: in the Items to Restore page, if you have clicked Browse and you’ve picked the folder named Database that the Backup wizard in the old root CA generated before, you will get an ugly error. The restore wizard expects you to choose a folder that contains a sub-folder called DataBase, not to choose the DataBase folder itself.
- Now that we have restored CA database, it is time to restore the configuration settings from the registry, to do that,on the new server, browse the registry to this location Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, and backup that registry location just in case.
- You have to located the registry backup file from the old CA server, and once you locate it, copy it to the new server, right click it and click Merge.
- The registry keys you have merged contains all the CA settings, including the CDP and AIA extensions. Just to make sure everything is fine, open the certificate authority console on the new server and navigate to the CA setting. Compare them with the old Root CA properties. Pay attention to the Extension tab.
Now that you know how to migrate your certification authority root CA to Windows 2012 R2, you can know that everyone is working fine by opening the certification authority console on the new server and make sure that the services is running, and that you can see the issued certificates listed. You can also verify that the revoked certificates are shown under the Revoked certificate node if any.
You can also open the old root CA, navigate to the certification authority console, and compare each and every setting there with the new server, until you feel comfortable with migration. I would also issue a CRL from the new server and make sure the CRL time stamp reflects today’s date.
If everything seems working as expecting, it is a good practice to backup your new root CA server by:
- Taking backup of the new root CA private key and CA databases.
- Take system state backup
- Perhaps taking Windows full server backup.
Also, I would not forget to reset the password of the local administrator account on the new server, and put a full documentation of my root CA configuration.
As for the old CA, usually it is a virtual machine, so I would typically destroy the VM as it is not needed anymore. I want also to recommend this YouTube video that goes through the whole process of how to migrate your certification authority root CA to Windows 2012 R2.