Server 2003 to 2016 PKI & CSP to KSP Migration

Server 2003 to 2016 PKI & CSP to KSP Migration

The organization that I work for was running on an old single Server 2003 CA. This was sufficient at the beginning due to only needing it for an enterprise wireless system that was slowly being deprecated and usage was down to only a handful of people.

 

Recently we started implementing a VPN solution called NetMotion for all of our remote workers on tablets and notebooks. This caused us to begin relying on our aging 2003 box more and more as it verified the computer certificates each time a user logged in. The server was on 10+ year old hardware. This unfortunate reality would soon come to bite us pretty badly on an unsuspecting Sunday morning.

 

I should add that in addition to tablets and notebooks for remote workers, we were also using it for our Police Officer’s MDT’s. Oh yea, not to mention this was also our one and only RADIUS server. You can clearly see the issue we had ignored for too long.

 

This all lead up to me getting a frantic call one Sunday morning at 6:30am when none of our officers could login to their MDT’s. Still not sure what caused our CA to suddenly stop responding. We did server patching the weekend prior, but Server 2003 has been out of support for quite a few years and there were no patches installed on it, just rebooted.

 

There was some discussion off and on during the year about upgrading it to Server 2016 or 2012 at the very least. But it just kept getting put on the back burner due to more important (to us at the time) projects. If it’s working, why break it?

 

Well after finding the certificate services stopped and being unable to start them, we did the first logical thing. We restored the server from the previous night’s backup. *SIDE NOTE: Always have a good backup strategy in place! This didn’t work! The server came up but the services would not start! So I went to the previous weeks full backup, same thing! I was seriously beginning to panic at this point. I started thinking worst case scenario of restoring our entire AD infrastructure from backup.

 

Luckily I caught a break by restoring from a previous months backup. I crossed my fingers and started the services, green check mark! Backed up the CA, root cert and private keys. I took that backup and restored them onto the current system and sure enough, services started and everything was working again!

 

This pushed us to do two things, upgrade our CA to 2016 and add some redundancy with two load balanced RADIUS servers and add a subordinate CA. If your organization’s CA servers are on 2003 or even 2008, I *HIGHLY* recommend upgrading them sooner than later! In 2012R2 and 2016, RADIUS is actually called “Network Policy Server”. I won’t cover that portion of the upgrade since it’s pretty straight forward.

 

There is a plethora of information out there about upgrading your CA from 2003 to 2012R2, but none for 2003 to 2016. There are also various ways of doing the migration, building out a new PKI while leaving the old one in-place while slowly moving everything over to the new PKI. You can even just add a 2016 subordinate server in order to support KSP key storage and the newer SHA256 certificate hash.

 

We decided to just rip the band-aid off and migrate it all one morning, 2003 to 2016 and CSP to KSP key storage. Looking back now, I should have turned it into two separate maintenance events. One for upgrading the CA to 2016, and another for moving the key storage from CSP to KSP. But we were in a hurry to get a better solution in place.

 

The actual upgrade process is fairly easy, but reading blog after blog and seeing all these different steps, I was a bit concerned if we could pull this off. We did multiple test upgrades in our lab environment and all were successful, but still you get a little apprehensive when touching such an important system.

A quick note to begin with, we only used the standard templates, so we did not need to migrate those over so it saved us a step. YMMV

The upgrade process is simply this:

Have two servers (We used Hyper-V VMs), one is a 2012 R2 and the other is 2016. Do not join them to the domain just yet and have the names something temporary like 2012-Temp. You can’t go straight from 2003 to 2016, so we have an intermediate step on 2012 R2.

Phase 1 – Backup your current 2003 CA

  1. Open the CA MMC and right click on your server name and choose “Backup CA”
    • Choose the cert, database, and the key
  2. Open Regedit and export this key – hklm\system\currentcontrolset\services\certsvc\configuration
  3. Copy the certificate and Database folder along with the exported registry and put it on the 2012 temporary server.
  4. Uninstall the CA role from your 2003 server and reboot.
  5. Log back into the server and remove it from the domain and then shut it down.
  6. Verify the computer account is removed from AD

Phase 2 – Migrate to 2012 R2

  1. Rename the 2012-Temp server to the SAME name as your 2003 server and reboot.
  2. Join the server to the domain and reboot.
  3. Install the CA services. You can choose to also install the CA Web enrollment, but I decided to skip that for this temporary step.
  4. Choose to import the certificate and then select the certificate you exported in Phase 1.
  5. Continue through the prompts until you are finished and start the CA services.
  6. Verify the services start and then stop the services.
  7. Import the registry key that you exported in the previous Phase 1.
  8. Restart the CA services and verify everything starts without issue
  9. I did some testing at this point by renewing a few certs and requesting new certs. Templates worked so we moved on to the next phase.

Phase 3 – Migrate from 2012 R2 to 2016 (Process is identical to 2003 to 2012R2)

  1. Open the CA MMC and right click on your server name and choose “Backup CA”
    • Choose the cert, database, and the key
  2. Open Regedit and export this key – hklm\system\currentcontrolset\services\certsvc\configuration
  3. Copy the certificate and Database folder along with the exported registry and put it on the 2016 server.
  4. Uninstall the CA role from your 2012 server and reboot.
  5. Log back into the server and remove it from the domain and then shut it down.
  6. Verify the computer account is removed from AD
  7. Rename the 2016 server to the SAME name as your 2012R2 server and reboot.
  8. Join the server to the domain and reboot.
  9. Install the CA services. Here you want to also install the CA Web enrollment.
  10. Choose to import the certificate and then select the certificate you exported from the 2012 Server.
  11. Continue through the prompts until you are finished and start the CA services.
  12. Verify the services started and then stop them.
  13. Import the registry key that you exported in the 2012 Server.
  14. Restart the CA services and verify everything starts without issue.
  15. I did some testing at this point by renewing a few certs and requesting new certs. Templates worked so we moved on to the next phase.

Final Phase – Migrate key storage from CSP to KSP & increase hashing algorithm to SHA256

Ok, for this step I have to admit, I cheated. I tried doing this step in the lab and I kept running into various issues. Either the keys could not be found when importing them or certificates not found. So I did some searching and found a site that had a script to automate the entire process! And every time I ran the script in the test lab, it worked flawlessly!

 

Once the script finishes migrating the key storage and upgrading the hashing algorithm, publish a new Root Certificate. This assumes you have the proper GPOs in place to distribute the keys to clients via AD.

 

Link to Thomas Rayner’s blog – LINK

There may be some cleanup work depending on how healthy your environment was before the migration, but overall that is it! You should now be on a Server 2016 CA utilizing KSP and SHA-256.

 

Feel free to post any questions or comments you may have.

Leave a Reply

Your email address will not be published. Required fields are marked *