When updating our CA from (CSP) to (KSP), what is the effect of the downtime on an environment as the changes are being made? If something goes wrong with the process, is it simple to roll back?

Question

When updating our Certificate Authority Key (CA) from a Cryptographic Service Provider (CSP) to Key Storage Provider (KSP) for SHA256 security, what is the effect of the downtime on an environment as the changes are being made? If something goes wrong with the process, is it simple to roll back? Just restore the backed up files?

Answer 1

Hello Robby Martin,

Thank you for posting in Microsoft Community forum.

Before you migrate CA from (CSP) to (KSP), please check the AD health and PKI health.

Check AD health, run commands below on PDC:
repadmin /showrepl >C:\rep1.txt
repadmin /replsum >C:\rep2.txt

repadmin /showrepl * /csv >c:\repsum.csv

Check PKI health:
By open PKIview.msc and all the Entries are OK.

Then migrate it.
Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) | Microsoft Learn

Here is a similar thread with steps:
migration csp to ksp - Microsoft Q&A

If something goes wrong with the process, is it simple to roll back? Just restore the backed up files?
A: Yes, restore all the date you backed up.
Like the date below:
All the data you backed up: choose All Tasks > Back Up CA and then follow the prompts in the wizard.

Choose the options to back up the private key and CA certificate,

and certificate database and certificate database log.
Backing up CA registry settings

Backing up CAPolicy.inf

Tip: Please do the migration during non-working day.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou