windows2008R2下CA(CS)服务迁移

     说到CA(CS)服务相信很多人运维人员都比较熟悉的一个服务,CA(Certificate Authority),CS(Certificate Service)不仅在windows服务存在,同样也在linux下存在,主要目的是提高安全性的,CA 也拥有一个证书(内含公钥和私钥)。网上的公众用户通过验证 CA 的签字从而信任 CA ,任何人都可以得到 CA 的证书(含公钥),用以验证它所签发的证书。如果用户想得到一份属于自己的证书,他应先向 CA 提出申请。在 CA 判明申请者的身份后,便为他分配一个公钥,并且 CA 将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。如果一个用户想鉴别另一个证书的真伪,他就用 CA 的公钥对那个证书上的签字进行验证,一旦验证通过,该证书就被认为是有效的。证书实际是由证书签证机关(CA)签发的对用户的公钥的认证。证书的内容包括:电子签证机关的信息、公钥用户信息、公钥、权威机构的签字和有效期等等。目前,证书的格式和验证方法普遍遵循X.509 国际标准。证书的工作原理是:加密和解密;加密就是将文字转换成不能直接阅读的形式(即密文)的过程称为加密。即把我们平时看到的“http”加密成“https”来传输,这样保证了信息在传输的过程中不被窃听;而解密就是:我们将密文转换成能够直接阅读的文字(即明文)的过程称为解密。具体就不多说了,如果有不明白的可以在网上找找相关的文档查阅,接下来说说我的环境;

   公司环境不是太复杂,多个站点部署了多个DC来提高访问效率,在北京的站点中有三台DC,其中有一台DC上运行着ADCS服务,对于CA的部署架构微软建议独立运行,不建议和ADDS在在同一台服务器上运行,近期由于公司做了AD的健康检查, 检测出运行CA服务的DC数据库损坏,导致整个环境非常危险,之前的想法是直接降级DC只保存CA服务运行,可在实施的时候发现在卸载ADDS服务的时候提示运行这个CA服务,必须在卸载CS服务后才能对DC降级,所以被迫无奈对整个CA服务进行迁移,然后对DC降级,最后对整个CA的迁移做了一个笔记,以致给大家分享出来。需要注意的是,此次做迁移的时候我的CA旧服务名称和CA新服务器名称不一样,所以在迁移的时候我们需要注意一下。具体见下:

Active Directory Certificate Services Migration Guide

http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

         Here is a detailed steps that I summarized, please check:

https://technet.microsoft.com/zh-cn/library/9aa53be9-0497-49fa-9ff6-09b72cb69444(v=ws.10)#BKMK_AddCA

https://technet.microsoft.com/zh-cn/library/ee126170(v=ws.10).aspx

===Enterprise Root CA Migration Steps===

1. First we need to do a full CA database backup using the following command:

CERTUTIL -f -p -backup

Note: Please remember that you specify in the command above, it will be used when install the CA later.

windows2008R2下CA(CS)服务迁移_第1张图片

备份完成

windows2008R2下CA(CS)服务迁移_第2张图片

或者使用手动的方式备份

使用“证书颁发机构”管理单元备份 CA 数据库和私钥

  1. 选择备份位置并附加媒体(如有必要)。

  2. 登录到源 CA。

  3. 打开“证书颁发机构”管理单元。

  4. 右键单击包含 CA 名称的节点,指向“所有任务”,然后单击“备份 CA”。

  5. 在 CA 备份向导的“欢迎”页上,单击“下一步”。

  6. 在“要备份的项目”页上,选中“私钥和 CA 证书”以及“证书数据库和证书数据库日志”复选框,指定备份位置,然后单击“下一步”。

  7. 在“选择密码”页上,键入用于保护 CA 私钥的密码,并单击“下一步”。

windows2008R2下CA(CS)服务迁移_第3张图片

windows2008R2下CA(CS)服务迁移_第4张图片

备份完成

  1. 在“正在完成备份向导”页上,单击“完成”。

  2. 备份完成后,验证所指定的位置中的以下文件:

  • 包含 CA 证书和私钥的 CA 名称.p12

  • 包含文件 certbkxp.dat、edb#####.log 和 CA 名称.edb 的 Database 文件夹

windows2008R2下CA(CS)服务迁移_第5张图片

打开命令提示符窗口,并键入 net stop certsvc 以停止“Active Directory 证书服务”服务

windows2008R2下CA(CS)服务迁移_第6张图片

2. Back The CA service registry key:

备份 CA 注册表设置

REG export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration C:\CABackup\RegBak.reg

使用 Regedit.exe 备份 CA 注册表设置

  1. 单击“开始”,指向“运行”,并键入 regedit 以打开注册表编辑器。

  2. 在 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc 中,右键单击“Configuration”,然后单击“导出”。

  3. 指定位置和文件名,然后单击“保存”。这将创建一个包含源 CA 中的 CA 配置数据的注册表文件。

  4. 将该注册表文件复制到可从目标服务器中访问的位置;例如,共享文件夹或可移动媒体。

windows2008R2下CA(CS)服务迁移_第7张图片

windows2008R2下CA(CS)服务迁移_第8张图片

备份完成

windows2008R2下CA(CS)服务迁移_第9张图片

或者使用以下方式备份

使用 Reg.exe 备份 CA 注册表设置

  1. 打开命令提示符窗口。

  2. 键入 reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration <输出文件.reg>,并按 Enter。

  3. 将该注册表文件复制到可从目标服务器中访问的位置;例如,共享文件夹或可移动媒体。

3. Publishing a CRL with an extended validity period:

a. In the CA console, right click on the Revoked Certificates->All Tasks->Publish->New CRL

b. Then you will have additional week CRL(default value is 1 week) for the current certificate to use during the migration.

c.

http://technet.microsoft.com/en-us/library/cc778151(WS.10).aspx

windows2008R2下CA(CS)服务迁移_第10张图片

我们看见rpc服务器不可用,我们需要net start certsvc 启动后就正常了

windows2008R2下CA(CS)服务迁移_第11张图片

windows\system32\certsrv\CertEnroll

windows2008R2下CA(CS)服务迁移_第12张图片

4. Backup CAPolicy.inf: (因为没有定义,所以我们忽略该步骤)

If your source CA is using a custom CAPolicy.inf file, you should copy the file to the same location on the destination server as the source CA backup files. The CAPolicy.inf file is located in the %SystemRoot% directory, which is usually C:\Windows.

5. Backup CA templates list: (也可以忽略该步骤)

a. Open a Command Prompt window.

b. Run

certutil.exe -catemplates > catemplates.txt

then Verify that the catemplates.txt file contains the templates list.

windows2008R2下CA(CS)服务迁移_第13张图片

6. Remove the CA service on the server, use the Remove Roles Wizard in Server Manager.

提示我们需要先卸载WEB服务iis才能卸载

windows2008R2下CA(CS)服务迁移_第14张图片

windows2008R2下CA(CS)服务迁移_第15张图片

windows2008R2下CA(CS)服务迁移_第16张图片

继续卸载AD证书服务

windows2008R2下CA(CS)服务迁移_第17张图片

windows2008R2下CA(CS)服务迁移_第18张图片

7. Copy the CA backup folder to the new CA server.

windows2008R2下CA(CS)服务迁移_第19张图片

8. Import the CA certificates:

a. Start the Certificates MMC snap-in for the local computer account.

windows2008R2下CA(CS)服务迁移_第20张图片

b. In the console tree, double-click Certificates (Local Computer), and click Personal.

windows2008R2下CA(CS)服务迁移_第21张图片

windows2008R2下CA(CS)服务迁移_第22张图片

c. On the Action menu, click All Tasks, and then click Import to open the Certificate Import Wizard. Click Next.

windows2008R2下CA(CS)服务迁移_第23张图片

d. Locate the .p12 file created by the CA certificate and private key backup on the source CA, and click Open.

windows2008R2下CA(CS)服务迁移_第24张图片

e. Type the password in the first step, and click OK.

windows2008R2下CA(CS)服务迁移_第25张图片

f. Click Place all certificates in the following store.

g. Verify Personal is displayed in Certificate store. If it is not, click Browse, click Personal, and click OK.

windows2008R2下CA(CS)服务迁移_第26张图片

9. Adding the CA role service by using Server Manager on the new installed server:

a. Start Server Manager.

b. In the console tree, click Roles.

c. On the Action menu, click Add Roles.

d. If the Before you Begin page appears, click Next.

e. On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next.

f. On the Introduction to AD CS page, click Next.

g. On the Role Services page, click the Certification Authority check box, and click Next.

Note: If you plan to install other role services on the destination server, you should complete the CA installation first, and then install other role services separately. Installation procedures for other AD CS role services are not described in this guide.

windows2008R2下CA(CS)服务迁移_第27张图片

8. On the Specify Setup Type page, specify either Enterprise or Standalone, to match the source CA, and click Next.

9. On the Specify CA Type page, specify either Root CA or Subordinate CA, to match the source CA, and click Next.

windows2008R2下CA(CS)服务迁移_第28张图片

windows2008R2下CA(CS)服务迁移_第29张图片

10.On the Set Up Private Key page, select Use existing private key and Select a certificate and use its associated private key.

windows2008R2下CA(CS)服务迁移_第30张图片

11.In the Certificates list, click the imported CA certificate, and then click Next.

windows2008R2下CA(CS)服务迁移_第31张图片

windows2008R2下CA(CS)服务迁移_第32张图片

12.On the Configure Certificate Database page, specify the locations for the CA database and log files.

windows2008R2下CA(CS)服务迁移_第33张图片

13.On the Confirm Installation Selections page, review the messages, and then click Install.

windows2008R2下CA(CS)服务迁移_第34张图片

windows2008R2下CA(CS)服务迁移_第35张图片

10.Restore the CA database from the backup:

a. Use CA administrator to log on to the destination server by using an account that is a CA administrator.

b. Start the Certification Authority snap-in.

c. Right-click the node with the CA name, point to All Tasks, and then click Restore CA. If prompted, click OK to stop the CA service.

windows2008R2下CA(CS)服务迁移_第36张图片

windows2008R2下CA(CS)服务迁移_第37张图片

d. On the Welcome page, click Next.

windows2008R2下CA(CS)服务迁移_第38张图片

e. On the Items to Restore page, select Certificate database and certificate database log.

f. Click Browse, and locate the Database directory that contains the CA database files created during the CA database backup.

windows2008R2下CA(CS)服务迁移_第39张图片

NOTE: Do not select the Database directory. Select its parent directory.

7. Type the password that you used to back up the CA database on the source CA.

windows2008R2下CA(CS)服务迁移_第40张图片

8. Click Finish, and then click Yes to restart the CA service

windows2008R2下CA(CS)服务迁移_第41张图片

windows2008R2下CA(CS)服务迁移_第42张图片

https://technet.microsoft.com/zh-cn/library/ee126140(v=ws.10)#BKMK_RestoreReg

11.Since we are migrating the CA from one server to another using the different server name, before we import the registry exported from the old server, we first use text editor to change the CA servername from old one to the new one:

net stop certsvc

windows2008R2下CA(CS)服务迁移_第43张图片

a. Right-click the .reg file created by exporting the settings from the source CA.

b. Click Edit to open the file in a text editor.

c. If the target CA's computer name is different from the source CA's computer name, search the file for the host name of the source CA computer. For each instance of the host name found, ensure that it is the appropriate value for the target environment. Change the host name, if necessary. Update the CAServerName value.

windows2008R2下CA(CS)服务迁移_第44张图片

Do not change Active value within the Configuration key and the CommonName value within the CAName key. The CA name must not be changed as part of the migration.

This means the new target CA must have the old CA's name, even if part of that name is the old CA's host name.

4. Check any registry values that indicate local file paths, such as the following, to ensure drive letter names and paths are correct for the target CA. If there is a mismatch between the source and the target CA, either update the values in the file or remove them from the file so that the default settings are preserved on the target CA.

5. These storage location settings are elected during CA setup. They exist under the Configuration registry key:

a. DBDirectory

b. DBLogDirectory

c. DBSystemDirectory

d. DBTempDirectory

6. The following settings under the Configuration\{CA Name} registry key contain, in their default values, a local path. (Alternatively, you can update these values after importing them by using the Certification Authority snap-in. The values are located on the CA properties Extensions tab.)

a. CACertPublicationURLs

b. CRLPublicationURLs

7. Any values not listed can retain the value data installed by default with the target CA. You can remove any registry values that you do not want to import into the target CA. Once the text file is edited, it can be imported into the target CA. By importing the source server registry settings backup into the destination server, the source CA configuration is migrated to the destination server.

12.After modifying the registry, we can import it into the new CA server.(以下操作均为确认操作,可以忽略)

a. Stop the Certificate service: net stop certsvc.

b. Locate the registry file that you just modified in the backup folder, and then double-click it to import the registry settings.

c. Open Regedit, in the console tree, locate the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration, and click Configuration.

d. In the details pane, double-click DBSessionCount.

e. Click Hexadecimal. In Value data, type 64, and then click OK.

f. Verify the locations specified in the following settings are correct for your destination server, and change them as needed to indicate the location of the CA database and log files.

a. DBDirectory

b. DBLogDirectory

c. DBSystemDirectory

d. DBTempDirectory

13.Restore the Certificate Template list:

a. Open a command prompt window.

b. Run

certutil -setcatemplates +

NOTE: Replace with a comma-separated list of the template names that are listed in the catemplates.txt file created during Step 6.

For example,

certutil -setcatemplates +Administrator,User,DomainController

14.Start the CA service. After CA service startup, please do the following things to mapping the CDP to old location for existing certifications:

a. Open CA console, right click on the CA name and Properties.

windows2008R2下CA(CS)服务迁移_第45张图片

b. In the Extensions tab, check the CDP, add the old CDP into the list:

添加以下内容,但是需要修改OLDservername

ldap:///CN=,CN=OldServerName,CN=CDP,CN=Public Key Services,CN=Services,

Check all the options below:

1. Publish CRLs to this location

2. Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.

3. Include in CRLs. Clients use this to find Delta CRL locations.

4. Publish Delta CRLs to this location

windows2008R2下CA(CS)服务迁移_第46张图片

修改旧的Caname

windows2008R2下CA(CS)服务迁移_第47张图片

注意勾选以下内容

windows2008R2下CA(CS)服务迁移_第48张图片

提示会重启CA服务

15.Assign permission on the AIA and CDP containers:

a. Log on as a member of the Enterprise Admins group to a computer on which the Active Directory Sites and Services snap-in is installed.

b. Click Start, point to Run, type dssite.msc, and then click OK.

c. In the console tree, click the top node.

d. On the View menu, click Show services node.

windows2008R2下CA(CS)服务迁移_第49张图片

e. In the console tree, expand Services, expand Public Key Services, and then click AIA.

windows2008R2下CA(CS)服务迁移_第50张图片

f. In the details pane, right-click the name of the CA, and then click Properties.

g. Click the Security tab, and then click Add.

windows2008R2下CA(CS)服务迁移_第51张图片

h. Click Object Types, click Computers, and then click OK.

windows2008R2下CA(CS)服务迁移_第52张图片

i. Type the name of the NewServer$, and click OK.

windows2008R2下CA(CS)服务迁移_第53张图片

j. In the Allow column, click Full Control, and click Apply.

windows2008R2下CA(CS)服务迁移_第54张图片

k. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

windows2008R2下CA(CS)服务迁移_第55张图片

l. In the console tree, expand CDP, and then click the name of the old server.

m. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.

windows2008R2下CA(CS)服务迁移_第56张图片

n. Click the Security tab, and then click Add.

o. Click Object Types, click Computers, and then click OK.

p. Type the name of the NewServer$, and click OK.

windows2008R2下CA(CS)服务迁移_第57张图片

q. In the Allow column, click Full Control, and click Apply.

windows2008R2下CA(CS)服务迁移_第58张图片

r. If the old server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

windows2008R2下CA(CS)服务迁移_第59张图片

s. Repeat steps for each cRLDistributionPoint item in old server CDP.

After all the steps above, every time the new CA publish CRL, it will publish to both its own CDP and old CDP in AD. So the new issued certificates can find the new CDP to check the CRL, and the existing certificates will still be able to find the old CDP to check latest CRL.

最后我们只需要通过申请办法证书测试即可;同时运行

pkiview.msc查看状态