RE: Upgrade Standard CA to an Enterprise CA

From: Rebecca Chen [MSFT] (v-rebc_at_online.microsoft.com)
Date: 01/17/05 

Date: Mon, 17 Jan 2005 03:35:30 GMT

Hi Lee,

Do you mean you want to migrate the stand-alone CA to Enterprise CA? If
this is the case, please
refer to the following article to perform the steps. This article has
detailed how to migrate from a stand-alone CA to a Enterprise CA with
illustrations. I would like to breift the steps below:

1. Backup the existing key pairs used by the CA and its database.

2. Back up the certificate database, the CA certificate, and the CA private
key.

3. Remove the stand-alone CA from the server by uninstalling it

4. Join the computer to a domain in the forest if it is not already joined
to one.

Best Practice The recommended best practice is to install CAs as a member
of the root domain in the forest to provide centralized administration and
control of the PKI services. For additional best practices, see the Windows
Server 2003 Resource Kit.

5. Reinstall the CA by adding the Certificate Services

6. Select Enterprise root CA as the CA Type, and select custom settings for
the key generation.

7.Choose the CSP that has access to the old CA keys, and choose the same
keys and certificate used with the old CA.

8.Select Preserve existing certificate database to use the old database.

9.When prompted for stopping the IIS service, click Yes to finish the
installation of the CA.

More details can be found from :
Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/ws03pkog.mspx#EQAA

HTH!

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Re: How to determine which Certificate server is installed
    ... stand-alone CA's certificate to the trusted root. ... >I believe that an Enterprise CA will copy itself into the Trusted Root ... but a Stand-Alone CA will not. ...
    (microsoft.public.windows.server.security)
  • Re: How to determine which Certificate server is installed
    ... stand-alone CA's certificate to the trusted root. ... >I believe that an Enterprise CA will copy itself into the Trusted Root ... but a Stand-Alone CA will not. ...
    (microsoft.public.windows.server.general)
  • Re: Isolation of the Root CA
    ... If you want to put your Enterprise CA behind a firewall, ... practice article on that? ... >> An Enterprise CA can not be an offline CA. ... >> standalone root CA and use it to issue a certificate for an Enterprise CA ...
    (microsoft.public.win2000.security)
  • Re: EFS and Certificate Services
    ... > I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing ... An Enterprise Root CA computer cannot be offline. ... I check the thumbprint of the file and the certificate which matched. ... The best practice is to issue the certificates *before* any encryption ...
    (microsoft.public.win2000.security)
  • Re: W2K3 3-tier CA Implementation
    ... No matter what environment you are in, install a standalone ROOT CA. ... based on the standalone subordinate CA. ... I agree with issuing CAs being enterprise CAs. ... You do not use a certificate tempalte for the ...
    (microsoft.public.security)