Step By Step Guide: Migrating Active Directory Certificate Service From Windows Server 2008/2008 R2 To Windows Server 2016

Introduction

With Microsoft ending support of Windows Server 2008/2008 R2 on January 14, 2020, in this blog post I explain on how to migrate your Microsoft Root Certificate Authority running on Windows Server 2003/2008/2008 R2 to Windows 2016. This post also explains on how to migrate your Certification Authority key from Cryptographic Service Provider (CSP) to a Key Storage Provider and on how to migrate from SHA1 to SHA2 (SHA256). Please note similar steps can be used to migrate from Windows 2008 R2/2012 R2 to Windows 2016 and or Windows Server 2019.

Backup Windows Server 2008/2008 R2 Certificate Authority Database And Its Configuration

  1. Log into your current CA Windows 2008/2008 R2 as member of the local administrator group
  2. Go to Start –> Administrator Tools –> Certificate Authority

  1. Right Click on your CA Server Node and select Back up CA –> All Tasks –> Back up CA

  1. “Certification Authority Backup Wizard” will open up, click “Next” to continue
  2. In the “Items to Back UP” wizard select “Private key and CA certificate” and “Certificate database and certificate database log”. Take note of the backup file path location where you will be saving the backup. Click on “Next” to continue.
  3. Provide a password to protect the private key and CA certificate file. Once password is provided click on “Next” to continue
  4. Backup the CA Registration Settings via regedit –> Start –> Run and type in regedit and click “OK”
  5. Expand the following key path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc once expanded Right Click on “Configuration” key and click on “Export”
  6. Provide a name and location to save the reg backup file. I suggest saving it in the same location of the CA backup example –> C:\CABackup

    Note: Files that you should currently have in your backup location

    At this point we now have a backup of your current CA files, move them off to the new 2016 CA server or to another server if the new CA 2016 server has not been built yet.

Uninstall CA From Existing 2008/2008 R2 Server

Since we now have a back up the our CA files and have moved them off the current 2008/2008 R2 CA server, it is time to uninstall the CA role from the existing CA server.

  1. Negative to the Server Manager and select the “Remove Roles” under Roles –> Start –>  Administrative Tools –> Server Manager
  2. Click “Next” at the Before You Begin wizard
  3. At the “Remove Server Roles” wizard page deselect Active Directory Certificate Services” and “Web Server (IIS)” and click “Next”. Note if you still require Web Server (IIS) leave it checked
  4. At the “Confirm Removal Selections” wizard page the output will look similar to the image below and might give you a warring, click on the “Remove” button. Note, be patient this process might take some time to complete
  5. At the “Removal Results” wizard page review the messages and click “Close” and perform a reboot of the server to complete the uninstall
  6. Once server has been rebooted log back in and the uninstall process will continue, once completed click on the “Close” button as shown in the next 3 images



At this point, we have completed uninstalling the CA role, the next step is to get the Windows 2016 CA services installed and configured. If the existing 2008/2008 R2 CA server is no longer needed it is recommended to remove it from your domain and delete the server (if it’s virtual) or power down if it’s physical. IMPORTANT NOTE, the new 2016 CA server should have the same computer name of the old 2008/2008 R2 CA server. This document DOES NOT explain how to use another name for your new 2016 CA server.

Install Windows 2016 Certificate Services

Assumption: A new virtual machine (preferred option) or physical 2016 server has been provisioned and joined to the domain with the same computer name as your old CA 2008/2008 R2 server. If possible, re-use the same IP as the old CA server.

  1. Log in to Windows 2016 as Domain Administrator or member of local administrator group and navigate to Server Manager –> Add roles and features
  2. At the “Add roles and Feature” wizard page click on “Next” to continue
  3. At the “Installation Type” wizard page select “Role-based or feature-based installation” and click on “Next”
  4. At the “Sever Selection” wizard page keep the defaults and click “Next”
  5. At the “Server Roles” wizard page, select “Active Directory Service” at the pop up window acknowledge the require features that are required and click on “Add Features” to add them
  6. Click “Next to continue
  7. At the “Features” wizard page select “.NET Framework 3.5 Features” and click “Next”
  8. At the “AD CA” wizard, page click “Next” to accept the defaults
  9. At the “Role Services”, page select “Certificate Authority” and “Certificate Authority Web Enrollment”. At the pop up window acknowledge the require features that are required and click on “Add Features” to add them
  10. Since Certification Authority Web Enrollment was selected, it will require IIS. It will give you a brief description about IIS. Select “Next” to continue
  11. At the “Role Services” wizard page, it gives you an option to add IIS role services. In my use case will leave it as default and click “Next” to continue
  12. Since we specified we wanted .NET Framework 3.5 features we need to provide an alternative source path to the “Microsoft-windows-netfx3-ondemand-package” cab file. Extract the file from the 2016 ISO or mount the 2016 ISO and point to the “sxs” directory located in sources –> sxs folder of the 2016 ISO. Click on “Install” to continue
  13. Once installation completes you can close the wizard

Configure AD CS

**Important Note** Perform the below steps as a user that is part of the “Enterprise Administrator” AD group

  1. Log in to the newly created 2016 server as an Enterprise Administrator and navigate to Server Manager –> AD CS
  2. On the right hand panel, a message will be displayed claiming “Configuration required for Active Directory Certificate Services…” click on “More” as shown below
  3. On the “All Servers Task Details and Notifications” wizard page click on “Configure Active Directory Certificate Service….” as shown below
  4. On the “Role Configuration” wizard page, it gives you the option to change the credential, if you are already logged as a member of the “Enterprise Administrator” than click next if not specify a user that is a member of the “Enterprise Administrator” group
  5. On the “Role Services” wizard page, select “Certification Authority” and “Certification Authority Web Enrollment” and click on “Next” as shown in the image below
  6. On the “Setup Type”, wizard page select “Enterprise CA” and click “Next” as shown in the image below
  7. On the “CA Type” wizard page, select “Root CA” as the CA type and click on “Next” as shown in the image below
  8. On the “Private Key” wizard page, select “Use existing private key” and “Select a certificate and use its associated private key” click on “Next” as shown in the image below
  9. On the “Existing Certificate” wizard page, select “Import” as shown in the image below
  10. On the “Importing Existing Certificate” wizard page select the key we backed up during the backup process  (Backup Windows Server 2008/2008 R2 Certificate Authority Database And Its Configuration)
    from the Windows 2008/2008 R2 server and provide the password we used to encrypt the key and click “OK” as shown in the image below
  11. Once the key gets imported successfully select the imported certificate and click on “Next” as shown in the image below
  12. On the “Certificate Database” wizard page, define where you like to store the certificate database if you do not want to accept the defaults. In this use case we have accepted the defaults, click “Next” as shown in the image below
  13. On the “Configuration” wizard page it will provide you an overview of the configuration confirmation, if you are satisfied click on “Configure” as shown in the image below
  14. On the “Result” wizard page click on “Close” as the installation is now complete as shown in the image below

 

Restore Certificate Database And Its Configuration

  1. Go to Server Manager –> Tools –> Certificate Authority as shown in the image below
  2. Within Certification Authority, right click on the CA server node –> All Tasks –> Restore CA as shown in the image below
  3. On the “Certification Authority Restore Wizard” click “OK” you be prompted to stop the ADCS services as shown in the image below
  4. At the “Welcome to the Certification Authority Restore Wizard” click on “Next” as shown in the image below
  5. At the “Items to Restore” wizard page select “Private key and CA certificate” and “Certificate database and certificate database log”. Browse to stored backup location of the backup files we took earlier and click on “Next” as shown in the image below
  6. At the “Provide Password” wizard page, enter the password you used to encrypt the backup files and click “Next” as shown in the image below
  7. At the “Completing the Certification Authority Restore Wizard” wizard page, click on “Finish” to complete the import process as shown in the image below
  8. Once the restore is complete it will ask you to start ADCS, click “Yes” as shown in the image below
    During the CA backup process, we exported a registry key; it is time to restore this key. Follow the steps below to complete the restore of the registry key.
  9. Navigate to the backup location of your CA backup files and double click on the registry key to import. On the “Are you sure you want to continue” prompt click “Yes” as shown in the image below
  10. Once the import of the registry key is complete click on “OK” as shown in the image below
  11. Restart the certificate services by stopping and starting the CA by navigating to the Certification Authority, right click on the CA server node –> All Tasks –> Stop Service as shown in the images below

 

We have now completed the installation and restore of the 2016 CA server. NOTE, you will need to reissue any certificate templates that were being used. To do so open up your CA server right click the CA server node –> Certificate Templates –> New –> Certificate Template to Issue as shown in the image below. If you do not see, your templates this means you have not restarted the CA services after the import of the backup registry key.

Migrate Certification Authority Key From Cryptographic Service Provider (CSP) To A Key Storage Provider (KSP)

If you have installed an enterprise or standalone certification authority (CA) that uses Cryptographic Service Provider (CSP) and want to upgrade your CA to use SHA2 (SHA256) than you must migrate that key to a Key Storage Provider (KSP). This migration would than let the CA support the latest enhanced key storage mechanism and stronger key and signature algorithms.

How To Check If My Certification Authority Key Is Cryptographic Service Provider or Key Storage Provider (KSP)

  1. Go to Server Manager –> Tools –> Certificate Authority as shown in the image below
  2. Right click on the CA server node –> All Tasks –> Properties as shown in the image below

Click on the “General” tab and select the active certificate, review the “Provider” display name and if it displays “Microsoft Strong Cryptographic Provider” (image #1) than its required to migrate your Certification Key to a Key Storage Provider (KSP). If it does not say “Microsoft Strong Cryptographic Provider” and instead shown as “Microsoft Software Cryptographic Provider” (image #2) than you can skip this part of the guide and head over to on how to Migrate from SHA1 to SHA2 (SHA256).

Image 1
Image 1
Image 2

 

Follow the below steps to proceed migrating your Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) to support SHA2 (SHA256).

  1. Backup your CA settings using elevated PowerShell. Enter the following command within PowerShell along with a password as shown in the image below. *Note* you will be prompted to enter a password

Backup-CARoleService –path C:\CABackup\2016CABackup –Password (Read-Host –Prompt “Enter Password” -AsSecureString)

  1. Backup your CertSvc registry key by running the following command within the same PowerShell window as shown in the image below

reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc c:\CABackup\2016CABackup\CA-registry.reg

  1. Backup your CertSvc registry key by running the following command within the same PowerShell window as shown in the image below
  2. Validate you now have two files (.p12 and .reg) along with a database folder in your backup location directory (example 2016CABackup) as shown in the image below
  3. Stop the certificate service and export an output text file of your CA store by running the following commands as shown in the image below. **NOTE, YOUR-CA-Server is the name of YOUR CA**
    • Stop-service certsvc
    • Certutil –store my YOUR-CA-Server >C:\output.txt

 

  1. Open up the output.txt file and take a note of the hashes for the certificate(s) as shown in the image below
  2. Open up and Administrative PowerShell window and delete the Cert Hash with the following commands as shown in the image below
        • cd cert:\localmachine\my
        • Del –deletekey <Certificate HASH>

       

  1. Using the PowerShell command below, import the p12 file we backed up earlier, you will be asked to enter your PFX password you set earlier as shown in the image below

Certutil –csp “Microsoft Software Key Storage Provider” –importpfx C:\CABackup\2016Backup\FILE-NAME-OF-THE-P12

  1. Using the below PoweShell command, export the file as a PXF by typing in the following commands below within an Administrative PowerShell and take note of the folder it is being saved to. Note, replace “Your_CA_Server_Node_Name” with the name of your CA server, once command is entered it will ask you to “Enter and confirm a Password”

Certutil –exportpfx my YOUR_CA_Server_Node_Name C:\CABackup\Exported-YOUR_CA_Server_Node_Name.pfx

  1. Using the below PowerShell command, restore your CA from the PFX file you just exported by typing the command below in an Administrative PowerShell as shown in the image below

Certutil –restorekey C:\CABackup\Exported-YOUR_CA_Server_Node_Name.pfx

  1. We need to import a couple of Registry files. Note, replace YOUR_CA_Server_Node_Name with the name of your CA. Open up notepad and paste the following content below and save it as “CA-Registry-1.reg” (set the save as type to All Files) as shown in the image below

******

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\YOUR_CA_Server_Node_Name\CSP]

“ProviderType”=dword:00000000

“Provider”=”Microsoft Software Key Storage Provider”

“CNGPublicKeyAlgorithm”=”RSA”

“CNGHashAlgorithm”=”SHA1”

****

  1. Create another registry file called “CA-Registry-2.reg” and paste the below content replacing YOUR_CA_Server_Node_Name with name of your CA as shown in the image below

****

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ YOUR_CA_Server_Node_Name \EncryptionCSP]

“ProviderType”=dword:00000000

“Provider”=”Microsoft Software Key Storage Provider”

“CNGPublicKeyAlgorithm”=”RSA”

“CNGEncryptionAlgorithm”=”3DES”

“MachineKeyset”=dword:00000001

“SymmetricKeySize”=dword:000000a8

****

  1. Import both newly created registry file “CA-Registry-1” and “CA-Registry-2” as shown in the images below

 

 

Images of importing CA-Registry-2.reg file

 

 

This completes the migration of Certification Authority Key from Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP). In the next section of this blog I explain the necessary steps required to change the hashing algorithm to SHA2 (SHA256).

Migrate From SHA1 To SHA2 (SHA256)

In this section of this guide, I illustrate on how to migrate your current SHA1 to SHA2 (SHA256) which is only possible if your Certification Authority Key is a Key Storage Provider (KSP).

  1. Change the hashing algorithm to SHA2 (SHA256) and start the CA server by entering the following commands below in an Administrative PowerShell as shown in the image below
      • Net stop certsvc
      • Certutil –setreg ca\csp\CNGHashAlgorithm SHA256
      • Net start certsvc

  2. Renew the CA cert by navigating to your CA and right click your CA Server Node –> All Task –> Renew CA Certificate and when asked select “NO” to generating a new public key as shown in the below image

  1. Validate your new cert is now using SHA256 by navigating to your CA and right click your CA Server Node –> Properties –> General

  1. Reissue any certificate templates that are required. Note, the certificate templates should automatically pull SHA256 as the request hash however if it doesn’t change the Algorithm to something else and re-select “RSA”. To do this navigate to your CA and right click Certificate Templates –> Manage –> “Select the template in in question” –> Right Click the template –> Properties –> Click on the “Cryptography” Tab. Once it has been changed, change it back to “RSA” and “2048” should now be displayed as the minimum key size as shown in the image below

Note, after changing the certificate template Algorithm, if the certificate template is not being listed stop and start the CA service.

Conclusion

I hope this blog post has helped you migrate your existing Microsoft Certificate Authority from a non supported Operating System to a supported Operating System.

If you have any questions or comments please leave them below!

ITsPaul is a Managed Service Provider located in Ottawa, Ontario. We provide IT Support, Services and offer Web Development.

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*