Shulou(Shulou.com)06/02 Report--

Preparation for certificate migration:

1. Backup CA template list:

Certutil-catemplates > c:\ cabackup\ catemplates.txt

2. Record the signature algorithm and CSP of CA:

Certutil-getreg ca\ csp\ * > c:\ cabackup\ csp.txt

3. The validity period of the revoked certificate is extended.

4. Back up the CA database and private key:

4.1Use PowerShell:

Backup-CARoleService-path

Note: BackupDirectory specifies the directory where the backup files are created. The specified value can be a relative or an absolute path. If the specified directory does not exist, it is created. The backup file is created in a subdirectory called Database.

4.2Use Certutil.exe

Net stop certsrv

Certutil-backupDB c:\ cabackup\ db / / Note: the folder specified by import must be an empty folder

Certutil-backupkey c:\ cabackup / / Note: after entering, a password will be required to ensure security

5. Back up the CA registry settings

5.1Use regedit.exe

Click start, point to run, and then type regedit to open Registry Editor. Right-click configuration in HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ CertSvc, and then click Export. Specify the location and file name, and then click Save. This creates a registry file that contains the CA configuration data for the source CA.

5.2.Use Reg.exe to back up the CA registry settings

Open a command prompt window

Type reg export HKLM\ SYSTEM\ CurrentControlSet\ Services\ CertSvc\ Configuration .reg and press Enter. Note: output file copies registry files to a location accessible from the target server with an absolute path file name; for example, shared folders or removable media.

6. Backup CAPolicy.inf

Under the C:\ windows folder (not normally)

7, stop the source CA server

8, restore data on the target server

8.1. When installing CA Certification Authority on a new CA server-> AD CS configuration, you must import the private key of the source CA.

8.2, restore the database

8.2.1, with PowerShell

Stop-service certsvc

Restore-CARoleService-path c:\ cabackup\-databaseonly-force

Start-service certsvc

8.2.2, with Certutil

Net stop certsrv

Certutil.exe-f-restoredb c:\ cabackup

Net start certsrv

8.3, restore CA registry settings

8.3.1, use reg.exe

Import the source CA registry backup on the destination CA

1. Log in to the target server as a member of the local Administrators group.

Open a command prompt window.

Type net stop certsvc and press Enter.

Type reg import, then press Enter. / / Note: Registry Settings Backup.reg is the location of the backed up registry file

Edit CA registry settings

DBDirectory

DBLogDirectory

DBSystemDirectory

DBTempDirectory

Click start, type regedit.exe in the search for programs and Files box, and then press Enter to open Registry Editor.

In the console tree, locate the key HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ CertSvc\ Configuration, and then click configure.

In the details pane, double-click DBSessionCount.

Click hexadecimal. In Numeric data, type 64, and then click OK.

Verify that the location specified in the following settings is applicable to the target server, and make changes as needed to indicate the location of the CA database and log files.

8.3.2, modify CAServerName

Modify the source CAServerName to CAServerName of the new CA

8.4, restore the list of certificate templates

Log in to the target CA using administrative credentials.

Open a command prompt window.

Type certutil-setcatemplates +, then press Enter. / / Note: the file name in the template list file catemlates.txt exported by templatelist for the source CA

Certutil-setcatemplates + Administrator,User,DomainController

8.5.Grant AIA and CDP container permissions (done on DC)

If the name of the target server is different from that of the source server, you must grant permissions to the CDP and AIA containers of the source server in AD DS

8.5.1, log in to the installation as a member of the Enterprise Admins group

Computers for ActiveDirectory sites and service snap-ins. Open Active Directory sites and Services (dssite.msc)

8.5.2, add new CA machine full control permissions to these two containers

(ps: if you publish CRL to a shared folder location using the file / /\ computer\ share syntax in the CDP extension, you may need to adjust the permissions of the shared folder so that the target CA can write to the folder location. If you host CDP on the target server and use an AIA or CDP path that contains aliases (for example, pki.contoso.com) as the target, you may need to adjust the DNS record to point to the correct destination IP address.)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.