Certificate Server Name change

LRL 41 Reputation points
2021-03-15T19:50:23.8+00:00

Our company's issuing certificate server is a Windows Server 2008 R2 and we would like to transfer the service to a new Windows Server 2016 Standard server.
The new Win2016 server will have a different hostname.

My questions are:

  1. What considerations will I need to keep in mind now that the service is running on a new server and hostname?
  2. How will the previously issued certificates be handled as the CRL Distribution Points and the Authority Information Access information entries point to the old hostname?
  3. Do I need to rename the new server to match the previous hostname?

I planned to follow the instructions on https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674, which recommends using the same name.

Your thoughts?
Thanks

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,778 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 21,046 Reputation points Microsoft Vendor
    2021-03-16T03:49:36.057+00:00

    Hello @LRL ,

    Thank you for posting here.
    Based on the description above, I understand you have one-tier CA, domain-joined Enterprise CA server.

    Here are the answers for your references.

    Q1. What considerations will I need to keep in mind now that the service is running on a new server and hostname?

    A1: Considerations for migrating a CA to a new machine:

    1. When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.
    2. By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.
    3. During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.

    Q2. How will the previously issued certificates be handled as the CRL Distribution Points and the Authority Information Access information entries point to the old hostname?

    A2: By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

    Q3. Do I need to rename the new server to match the previous hostname?

    A3: When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must remain unchanged.

    Q4. which recommends using the same name.
    A4: Baesd on my experience, if we migrate CA to a new machine with the same hostname.

    First we need to backup all CA information mentioned in the link you provided.
    Then remove the old 2008 R2 CA machine from the domain, then add new 2016 server to domain and restore CA information to new 2016 machine.

    Because there cannot be more than one machines with the same computer name in the same domain.

    References
    AD CS Migration: Migrating the Certification Authority
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

    Performing the Upgrade or Migration
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. LRL 41 Reputation points
    2021-03-16T15:57:32.833+00:00

    Thanks for the explanations and reference links.

    This information will help.


  2. LRL 41 Reputation points
    2021-03-17T19:06:56.323+00:00

    Hello Daisy
    One follow up question. Do the migration instructions you provided also apply to an Issuing CA in a two-tier configuration?
    Are there any additional considerations?
    Thanks again