Share via

migration csp to ksp

matteu31 502 Reputation points
2021-03-09T07:57:48.28+00:00

Hello,

I try to migrate CA 2008R2 from CSP to KSP but I have some difficulties...

  1. migrate CSP to KSP on my 2008r2 server
  2. Migration SHA1 -> SHA 2
  3. Migrate to 2019 server

1) I can't migrate without 2012+ help server. I need to export the key , import it on 2012 to migrate from CSP to KSP and then export it again to import it on my 2008r2 with new KSP provider.

2) When I try to backup my 2008r2 CA with KSP provider, it doesn't work because key can't be exported. I don't understand why. I used Microsoft documentation for it.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn771627(v=ws.11)

Maybe my migration order is wrong and I need :

  1. Migrate to 2019 server
  2. migrate CSP to KSP on my 2008r2 server
  3. Migration SHA1 -> SHA 2

Thanks for your help.

Windows for business | Windows Server | Devices and deployment | Configure application groups

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-03-10T02:06:59.977+00:00

    Hello @matteu31 ,

    Thank you for posting here.

    As I understand, you have one-tier PKI, you want to do the changes below:

    1) migrate CSP to KSP on my 2008r2 server
    2) Migration SHA1 -> SHA 2
    3) Migrate to 2019 server

    Please check how many root CA certs do you have? Right click CA and select Properties and check General tab.

    76061-ca1.png

    Check if you can export the private key of these root CA certs?
    75958-ca2.png

    If you can not export the private key of the root CA certs, you will not do the migrations baove.

    Then I suggest we can rebuild a new PKI on Windows server 2019 with KSP and SHA2.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. matteu31 502 Reputation points
    2021-03-10T14:50:51.287+00:00

    Hello,

    Thank you for your answer.
    I just test it on lab.

    I create 2008R2 VM with CSP provider and I don't know the good way to migrate it to KSP and then SHA2 and then 2019.

    When I migrate to SHA2 I create new cert but I can't export private key cert because operation is not supported. (probably because KSP provider on 2008r2)

    I will probably try to 1st migrate to 2019 and then KSP and SHA2 to see if the result is the same.
    I have only "small customer" and I prefer to migrate one shot instead of side by side but I need to find a working way :)

    Thanks

  3. matteu31 502 Reputation points
    2021-03-15T07:29:27.59+00:00

    Hello,

    I tested yesterday in my lab.
    All work perfectly in this order :

    Source : 2008R2 CSP SHA1
    Destination : 2019 KSP SHA2

    1) Migrate from 2008r2 to 2019
    Backup CA + registry (certsvc\configuration)
    Delete CA on source server
    Install CA on destination server and use the cert p12 from the backup.
    Modify the server name in the registry configuration (if server name is different) and import it on the new server

    2) Migrate from csp to ksp
    3) migrate from sha1 to sha2

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.