install Certificate Authority (CA) on a server, you normally do everything to
protect this server and the data it’s storing. If you ever need to move the CA
with all the data to another Windows 2000 Server computer, here’s how to do it.
these steps on the old computer currently running CA:
a central location, create a backup of the old machine, the CA cryptographic
keys, and database. You can do this by running the CA console, selecting the
computer name, and then selecting Backup CA in the Action menu under All Tasks.
the wizard asks you which items to back up, select Private Key, CA Certificate,
Issued Certificate Log, and Pending Certificate Request Queue.
the wizard completes, you’ll get a file with a .p12 extension and a folder
up registry key:
Replace <CA_Name> with your CA’s name.
Cmd.exe to open the Command Prompt, type “certutil —shutdown” to stop
the Certificate Services, then type “certutil —key” to list all the
keys installed on the server. You’ll notice one with the name of your CA
“certutil —delkey <CA_Name>” to delete the key with the name of
your CA server. (If the key includes spaces, enclose it in the quotes.)
the Certificate Services.
the new computer must have the same name as the old one, you must either remove
the old computer from the network, or rename it.
On the new
computer, follow these steps:
the cryptographic key and the database from the old computer to the new one.
(Make sure the new computer has the same name as the old one.)
the Certificate Services on the new computer through Add/Remove Programs in the
Control Panel. Select the Advanced Install option on the Certificate Authority
the next screen, click Import and browse for the key you exported on the old
computer. The file has a .p12 extension.
setup, make sure you specify the same log and database paths as on the old
the installation completes, start the Certificate Authority console and restore
the Database by selecting the computer name. Then, in the Action menu under All
Tasks, click Restore CA.
the backed up registry key.
Remember: Before you can move the CA and the key database
to another computer, you must give the new computer the same computer name as
the old one, and the log and database file paths must be the same.
Reminder: Before making any
registry edit, be sure to first back up the registry so that you can restore it
if something goes wrong.
Miss a column?
Check out the Windows 2000 Server archive, and catch up on the most recent editions of Jim Boyce’s column.
Want more Win2K tips and tricks? Automatically sign up for our free Windows 2000 Server newsletter, delivered each Tuesday!