When you
install Certificate Authority (CA) on a server, you normally do everything to
protect this server and the data it’s storing. If you ever need to move the CA
with all the data to another Windows 2000 Server computer, here’s how to do it.

Perform
these steps on the old computer currently running CA:

  1. In
    a central location, create a backup of the old machine, the CA cryptographic
    keys, and database. You can do this by running the CA console, selecting the
    computer name, and then selecting Backup CA in the Action menu under All Tasks.
  2. When
    the wizard asks you which items to back up, select Private Key, CA Certificate,
    Issued Certificate Log, and Pending Certificate Request Queue.
  3. After
    the wizard completes, you’ll get a file with a .p12 extension and a folder
    named DataBase.
  4. Back
    up registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\
    Configuration\<CA_Name>.
    Replace <CA_Name> with your CA’s name.
  5. Run
    Cmd.exe to open the Command Prompt, type “certutil —shutdown” to stop
    the Certificate Services, then type “certutil —key” to list all the
    keys installed on the server. You’ll notice one with the name of your CA
    server.
  6. Type
    “certutil —delkey <CA_Name>” to delete the key with the name of
    your CA server. (If the key includes spaces, enclose it in the quotes.)
  7. Uninstall
    the Certificate Services.
  8. Since
    the new computer must have the same name as the old one, you must either remove
    the old computer from the network, or rename it.

On the new
computer, follow these steps:

  1. Copy
    the cryptographic key and the database from the old computer to the new one.
    (Make sure the new computer has the same name as the old one.)
  2. Install
    the Certificate Services on the new computer through Add/Remove Programs in the
    Control Panel. Select the Advanced Install option on the Certificate Authority
    Type screen.
  3. On
    the next screen, click Import and browse for the key you exported on the old
    computer. The file has a .p12 extension.
  4. During
    setup, make sure you specify the same log and database paths as on the old
    computer.
  5. After
    the installation completes, start the Certificate Authority console and restore
    the Database by selecting the computer name. Then, in the Action menu under All
    Tasks, click Restore CA.
  6. Restore
    the backed up registry key.

Remember: Before you can move the CA and the key database
to another computer, you must give the new computer the same computer name as
the old one, and the log and database file paths must be the same.

Reminder: Before making any
registry edit, be sure to first back up the registry so that you can restore it
if something goes wrong.

Miss a column?

Check out the Windows 2000 Server archive, and catch up on the most recent editions of Jim Boyce’s column.

Want more Win2K tips and tricks? Automatically sign up for our free Windows 2000 Server newsletter, delivered each Tuesday!