Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This appendix covers the following migration tasks:
  1. Back up the CA database, CA certificate, and private key on the AD CS server.
  2. Remove the CA role service from the AD CS server.
  3. Import the private key into the HSM by using FXCLI.
  4. Restore the AD CS server.

Back up the database, certificate, and key

To back up the CA database, certificate, and private key on the AD CS server, you must use an account that is a CA administrator. On an enterprise CA, the default configuration for CA administrators includes the local Administrators group, the Enterprise Admins group, and the Domain Admins group. On a standalone CA, the default configuration for CA administrators includes the local Administrators group. The following steps use the CA snap-in tool to back up the CA database and private key. If you prefer to complete these steps by using Powershell or Certutil.exe, see the following Microsoft knowledge base article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)
1
Choose a backup location and attach media, if necessary.
2
Log on to the source CA.
3
Open the Certification Authority snap-in.
4
Right-click the node with the CA name, select All Tasks, and then select Back Up CA.
5
In the Welcome window of the CA Backup wizard, select [ Next ].
6
In the Items to Back Up window, select the Private key and CA certificate and Certificate database and certificate database log check boxes, specify the backup location, and then select [ Next ].
7
In the Select a Password window, type a password to protect the CA private key, and select [ Next ].
8
In the Completing the Backup Wizard, select [ Finish ].
9
After the backup completes, verify the following files in the location you specified:
  • CAName.p12, which contains the CA certificate and private key.
  • The database folder, which contains files certbkxp.dat, edb#####.log, and CAName.edb.
10
Open a command prompt window, and type net stop certsvc to stop the AD CS service.
You should stop the service to prevent the issuance of additional certificates. If the source CA issues certificates after a database backup completes, repeat the CA database backup procedure to ensure the database backup contains all issued certificates.
11
Copy all backup files to a location that is accessible from the destination server, such as a network share or removable media.

Remove the CA role service

Perform the following steps to remove the CA role service from the AD CS server:
1
In Server Manager, select [ Manage ] in the top menu, and select [ Remove Roles and Features ].
2
In the Before you begin section of the Remove Roles and Features Wizard, select [ Next ].
3
In the Select destination server window, leave the default option selected and select [ Next ].
4
In the Remove server roles window, select the Active Directory Certificate Services role.
5
When prompted, select [ Remove Features ].
6
Select [ Next ] until you reach the Confirmation page, and then select [ Remove ].
7
After the removal process completes, close the window and restart the server to finish removing the features.

Import the private key into the Vectera Plus HSM

In this section, the HSM CLI application will be used to import the private key that was backed up from AD CS.
1
First, run the following command to connect to the HSM through USB.
The computer that is running HSM CLI must be directly connected to the front USB port of the HSM.
FXCLI
  connect usb
2
Then, log in with the default Admin identities.
FXCLI
  login user
The login user command prompts for the username and password. You must run it twice to log in with both default Admin identities.
3
Now, run the following command to import the private key of the CA into an available key slot on the HSM.
FXCLI
  pkcs12 import -f C:\Futurex\WINDOWS-SERVER-CA.p12 -p safest -s 10 --label WINDOWS-SERVER-CA --win-system-dacl
If the import succeeded and you run the keytable reload command, you see the private key in the slot that was designated, as shown in the following example:
None
keytable reload
result:
    status: success
    statusCode: 0
slots:
    -
        slot: 10
        type: "key"
        name: "WINDOWS-SERVER-CA"
        kcv: "266B"
        algorithm: RSA
        bits: 2048
        usage: Sign,Verify
        startValidity: "1971-01-01 00:00:00"
        endValidity: "2999-01-01 00:00:00"
        exportable: true
        clearExportable: false
        passwordExportable: false
        requiresAuth: false
        modifiable: true
        externalData: "01000000030000001257494E444F57532D5345525645522D2D4341000001020000001257494E444F57532D5345525645522D2D4341000001200000010087C59F43B051DEF062AAD4AA8128913D3344D4AF197B28C709242504E9323B65A6609251EB2061674E2B55F3B1CCD85C573D76EAD3F6EDFECA3AAD729EC25EEC5AE078E38E0E803E92C86C06C5C11914CD5FCF12DE26465534CCD911D9568D12093EF4CA311B4D2795CA92BD23F43898DC382A65B131597F7C946DDEAD3DEF0A792B85321A074D8E31B11A20700A531B1746F1A8F7239EC17EE4FD1F8C8209B142E7C8BA51C2724B286CEDA0141D0021154CD43FAEF77BBC3390A88172B9ADD6D54BED3E1E3855AB9AB822F1B900D430C22542DAB2FA96AE8A03268D717F6F98F6817320CF87E3C63BE5AB374C1606377DB481C1C327E46BF6E553E6FB3E3F8B00000121000000040008000000000122000000030100010000016300000001008000DA7E00000048010004940000000000000000000000001400000002003400020000000003180000000010010200000000000520000000200200000003140000000010010100000000000512000000"

Restore the AD CS server

This section shows you how to restore the AD CS server by performing the following tasks:
  1. Import the CA certificate.
  2. Re-add the CA role service.
  3. Restore the CA database and configuration.

Import the CA certificate

The first section of this appendix backs up the CA certificate to a PKCS #12 (PFX) file, containing both the certificate and the private key. Because the private key should no longer exist in AD CS (being stored on the HSM), this example uses OpenSSL to extract only the certificate from the PKCS #12 file before importing the CA certificate back into Windows.You must install OpenSSL for Windows before performing this procedure.
Perform the following steps to import the CA certificate:
1
Open PowerShell and run the following OpenSSL command to extract only the CA certificate from the PKCS #12 backup file:
Powershell
openssl pkcs12 -in WINDOWS-SERVER-CA.p12 -out WINDOWS-SERVER-CA.pem -nokeys
The CA certificate is output to the file name specified in the -out flag.
2
Start the Certificates snap-in for the local computer account.
3
In the console tree, double-click Certificates (Local Computer) and select Personal.
4
On the Action menu, select All Tasks and select Import to open the Certificate Import Wizard. Select [ Next ].
5
Locate the <CAName>.pem file that was output from the OpenSSL command in the first step, and select [ Open ].
6
Select Place all certificates in the following store.
7
Verify Personal displays in the Certificate store. If you don’t see it, select Browse, select Personal, and select [ OK ].
8
In the console tree, double-click Personal Certificates and select the imported CA certificate.
9
On the Action menu, select [ Open ]. Go to the Details tab, copy the serial number to the Clipboard, and select [ OK ].
10
Open a command prompt, type certutil -store My "{Serialnumber}, and then press ENTER.
11
Copy the value in the Unique container name field from the output of the preceding command to the clipboard.
12
Run the following command to delete the private key’s original association with the CA certificate (from when it was stored in software):
Powershell
certutil -delkey -csp ksp "Unique container name"
13
Run the following command to associate the CA certificate with the private key now stored on the HSM:
Powershell
certutil -repairstore -csp "Futurex CNG" My "Serial Number"
Specify the same certificate serial number here that was specified in step 10.

Re-add the CA role service

Perform the following steps to re-add the CA role service by using the server manager:
1
In the console tree, select Roles.
2
On the Action menu, select Add Roles.
3
In the Before you Begin window, select [ Next ].
4
In the Select Server Roles window, select the Active Directory Certificate Services checkbox and select [ Next ].
5
In the Introduction to AD CS window, select [ Next ].
6
In the Role Services window, select the Certificate Authority checkbox and select [ Next ].
7
In the Specify Setup Type window, specify either Enterprise or Standalone, to match the source CA. Then, select [ Next ].
8
In the Specify CA Type window, specify either Root CA or Subordinate CA to match the source CA. Then, select [ Next ].
9
In the Set Up Private Key window, select Use existing private key and Select a certificate and use its associated private key.
10
In the Certificates list, select the imported CA certificate and select [ Next ].
11
In the CA Database window, specify the locations for the CA database and log files. Select [ Next ].
12
In the Confirmation window, review the messages and select [ Configure ].

Restore the CA database

After you reinstall the CA role service, perform the following steps, which use the CA snap-in tool to restore the CA database and configuration:
1
Start the Certification Authority snap-in.
2
Right-click the node with the CA name, select All Tasks, and then select Restore CA.
3
In the Welcome window, select [ Next ].
4
In the Items to Restore window, select Certificate database and certificate database log.
5
Select [ Browse ]. Go to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).
Do not select the Database folder. Select its parent folder.
6
Select [ Next ] and then [ Finish ].
7
Select [ Yes ] to start the CA service (certsvc).