Migrate Enterprise Root CA from Windows 2012 R2 to Windows 2019

LMS 156 Reputation points
2020-11-18T08:12:14.8+00:00

Hi

Our current Enterprise Root CA is on Windows 2012 R2, we are looking to get some KBs on migration of RCA to Windows 2019. Pls suggest

Thanks in advance

Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

8 answers

Sort by: Most helpful
  1. Anonymous
    2020-11-18T08:43:29.087+00:00

    Hello,

    Thank yo so much for posting here.

    Here are some documents talking about AD CS migration. Hope they could be helpful to you.

    Performing the Upgrade or Migration
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN

    AD CS Migration: Migrating the Certification Authority
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. LMS 156 Reputation points
    2020-11-29T05:59:26.593+00:00

    Sorry... we are going through the provided KBs... will update you

    0 comments No comments

  3. LMS 156 Reputation points
    2020-11-30T06:16:37.277+00:00

    The Provided Blog "https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674" is a perfect one for reference. But we have a few concerns

    • Internally we issued certificates to all servers, PCs for different purposes, and through GPO most of these certificates are renewing automatically. Here we created and using Certificate templates (for LDAP, RDP, for SCCM etc). We believe once we migrated to 2019 CA, we have to recreate all these Certificate templates as mentioned with the blog, right?
    • All current certificate templates are issuing certificates with 2048 bits, as per new security standard we have to issue certificates with 4098 bits. So we will create new templates with 4098 bits. A lot of expired & unused certificates are there with CA and also once we create new templates with 4098 bits and re-issue certificates, then the expired / revoked certificates will be more, how can we do a cleanup with CA (either before migrating the CA or after the migration)
    • How can we achieve archival of all issued certificates' private keys? Is it a best security practice to do so? If we go with private key archival how can we apply more security to Enterprise CA? (we have only one Enterprise CA)
    • SSL 2.0, 3.0 & TLS 1.0 & 1.1 and weak ciphers RC4 128/128, RC4 40/128, RC4 56/128, RC4 64/128, Triple DES 168/168
      are disabled. Is there any reference KB to harden Ciphers and Cipher suits specific to CA server?

    Thanks in advance

    0 comments No comments

  4. Anonymous
    2020-11-30T09:36:16.933+00:00

    Hello,

    Thank you so much for your kindly reply.

    1, We should record the assigned certificate templates before beginning the CA migration. The information is not automatically backed up as part of the CA database or configuration backup. Certificate templates and the association between enterprise CAs and certificate templates are stored in AD DS.

    After the target CA is installed and the database and registry settings are restored, ensure that an enterprise CA is configured to issue certificates for all the templates for which the source CA was configured.

    So we do not need to recreate all these certificate templates. We will need to reissue these certificate templates as mentioned in the provided blog.

    2, To removing Expired Certificates from the CA Database, we could refer to:

    https://learn.microsoft.com/en-us/archive/blogs/xdot509/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database

    As for the revoked certificate, according to the below link, there is no need to delete the revoked certificates.

    Link: https://social.technet.microsoft.com/Forums/office/en-US/334dce20-b604-441e-8747-2a3d2a4e0263/deleting-revoked-certificates?forum=winserversecurity

    3, Hope something here might be helpful.

    Private Key Archival and Recovery
    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cersod/5369f124-e32f-4d3c-bfa1-4768f338d04a

    Understanding Key Archival
    https://learn.microsoft.com/zh-tw/archive/blogs/pki/understanding-key-archival

    4, As per my research, there is no reference KB to harden ciphers and cipher suits for CA server. I have found these documents, and we could have a check whether it helps.

    https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  5. LMS 156 Reputation points
    2020-12-01T11:34:22.653+00:00

    Thanks Hannah

    We are referring the KBs...

    What is the best practice on archiving private keys with Enterprise RCA? Is it a common practice?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.