Moving a Certificate Authority (CA) to another DC

John Savill

November 12, 2007

3 Min Read
ITPro Today logo in a gray background | ITPro Today

How can I move a Certificate Authority (CA) to another domain controller (DC)?

A. I recently had to demote a DC that was the CA for the domain that was causing a problem. I therefore performed these steps to move the CA to another DC:

  1. Start the Microsoft Management Console (MMC) Certificate Authority snap-in on the existing CA.

  2. Right-click the domain name at the root and select Back up CA from the All Tasks menu.

  3. Click Next at the welcome page of the Backup CA Wizard.

  4. Select the option to back up both the "Private key and CA certificate" and "Certificate database and certificate database log". Enter the name of an empty folder to which to back up the items.

  5. Enter a password that will be used to secure the backup and click Next.

  6. Click Finish to begin the backup.

  7. Start the registry editor (regedit.exe).

  8. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.

  9. Right-click the CA domain subkey and select Export from the context menu. Enter a name for the registry backup file and click Save.

  10. Now remove Certificate Services from the server. To do so, select Add or Remove Programs from the Control Panel, click Add/Remove Windows Components. Clear the Certificate Services check box and click Next.You can now use dcpromo to demote the existing server so it's no longer a DC (if you are planning to remove this as a DC; otherwise you'll just need to rename it later).

On the new target server, perform the following steps:

  1. If you are replacing a DC and wish it to have the same name as the previous one, you should rename it before installing the Certificate Services.

  2. Add the Certificate Services component (Select Add or Remove Programs from the Control Panel, click Add/Remove Windows Components. Select Certificate Services and click Next)

  3. Select the type of CA that the new CA is replacing (e.g., Enterprise CA), select the check box for "Use custom settings to generate the key pair and CA certificate" and click Next

  4. For the Public and Private Key Pair, select "Use an existing key" and click Import.

  5. Select the name of the .p12 file you created as part of the backup of the original server and enter the password you set and click OK.

  6. The window displays the selected key. Click Next to the main Public and Private Key Pair screen.

  7. Click Next to all remaining dialogs until installation is complete

  8. Stop the Certificate Services.

  9. Import the registry backup taken from the original server. You may wish to open the registry file and modify the CAServerName entry to this new server's name if you are not intending to rename it after. Double-click the .reg file and click Yes to the confirmation to add the information. Click OK to the read confirmation.

  10. Start the Certificate Authority MMC snap-in.

  11. Right-click the CA domain and select Restore CA from the All Tasks context menu.

  12. Click Next to the welcome dialog.

  13. Select the checkboxes for the certificate and log restore and enter the location of the backup taken from the original server. Click Next.

  14. Enter the password again that was used to secure the backup and click Next.

  15. Click Finish to the dialog box confirming the actions that will be taken.

  16. Click Yes to start the Certificate Services. The Certificates should now be running on the new server.

    — John Savill

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like