Maystyle :
Admin : New post
Guestbook
Local
media
Catergories
Recent Articles
Recent Comments
Recent Trackbacks
Calendar
Tag
Archive
Link
Search
 
  Migration CA to a New Host 
작성일시 : 2008. 11. 26. 17:27 | 분류 : Windows Server/Active Directory

이제 부터 영문으로 문서를 작성합니다.
제 실력이 실력이니 만큼 쉬운 영어로만 작성될 예정입니다.
너무 나쁘게 생각하지 말아주세요...^^

Migration CA to a new host.
So host name will be replaced but CA must stay the same.

* To avoid revocation checking error, new CA must be configured to publish CRLs to the old path as well as the new path.

Operation SEQ

1. Preparing the source Env
- Publishing a CRL1) with long validity period (for prohibit the Certificate revoke)
- Complete Server Backup
- CA Backup
- CA Configuration Backup

2. Migration
- Install CA on the target Server using CA backup file
- Restore CA database and configuration

3. Perform the steps for post-migration
- Update CRL distribution point and authority information access extensions
- Registry cleanup

4. Upgrading certificate templates

5. Verifying security settings
- Verify CA security settings
- Verify AD Permissions for the CA

Operation Details

Publishing a CRL with long validity period
1. certsrv.msc > Revoked certificates > Action > Properties
2. After recording it's original value. and set interval to 99 years.
3. Clear the Publish Delta CRLs check box
4. Revoked certificates > Action > All Tasks > Publish
5. Make sure that new CRL is enabled
6. certsrv.msc > Properties > Extensions
7. record the CRL distribution point extension

Performing a Complete Server Backup

Performing a CA Backup
(CA backup consists of two entities : CA database, CA certificate and keys)
1. certsrv.msc > All Tasks > Back Up CA
2. On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log

Performing a Backup of the CA Configuration
1. Export follow Registry key "HKLM\SYSTEM\CurrentControlSet\Services\CertSvc"

Recording Certificate Templates
1. cmd > certutil -catemplates > templates.txt

Uninstalling the CA on the Source Server

Uninstalling the Web Enrollment Support on the Source Server

Setup CA on the Target Server
1. servermanager.msc > Roles
2. Action > Add Roles > Active Directory Certificate Services
3. On the Set Up Private Key, select Use existing private key

Restoring the CA database
1. certsrv.msc > All tasks > Restore CA

Restoring the CA Registry Configuration
1. Import follow Registry key "HKLM\SYSTEM\CurrentControlSet\Services\CertSvc"

Restoring Certificate Template Configuration
1. certsrv.msc > Right-click Certificate Templates > New > Certificate Template to Issue

Resetting the CRL Publishing Period

Verifying Security Settings
1. certsrv.msc > CA object > Action > Properties
2. dsa.msc > Ensure the Permissions that Configuration/Services/Public Key Services container

Updating CRL Distribution Point and Authority Information Access Extensions
1. certsrv.msc > Properties > Extensions
2. Add the required authority information access and CRL distribution point extensions
ldap:///CN=CATruncatedNameCRLNameSuffix,CN=OriginalServerShortName,CN=CDP,CN=Public Key Services,CN=Services,ConfigurationContainerCDPObjectClass.
3. Replace OriginalServerShortName with the short name of the original CA host.
4. With the new location highlighted, select the Publish CRLs to this location and Publish Delta CRLs to this location check boxes.

Performing Registry Updates after a host name change
1. Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS name (for an enterprise CA or domain member CA) or the host name (for a stand-alone workgroup CA) of the new CA host.

2. Verify that CACertPublicationURLs and CRLPublicationURLs are both registry multi-string values located under the same key as CAServerName. CACertPublicationURLs indicates the authority information access extension settings, and CRLPublicationURLs indicates the CRL distribution point extension settings configured in the Certification Authority snap-in on the CA Properties Extensions tab. While these settings may have been updated as a separate step previously (see Updating CRL Distribution Point and Authority Information Access Extensions), they should be checked in the registry to ensure any hard-coded host names are reconciled with the new environment.

3. Check the remaining registry values under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc registry key, with emphasis on any values that have been customized to ensure that they are free of data containing the old CA host name or other invalid CA settings. For example:
· Configuration\ConfigurationDirectory
· Configuration\CAName\CACertFilename

Upgrading Certificate Templates in AD DS

1) CRL (Certificate revocation list) : Information that Certificates's status (revoked, no longer valid, don't relied upon)

출처 : Active Directory Certificate Services Upgrade and Migration Guide

|