Appendix: Migrate an existing CA key from software storage to the HSM
This appendix covers the following migration tasks:
- Back up the CA database, CA certificate, and private key on the AD CS server.
- Remove the CA role service from the AD CS server.
- Import the private key into the HSM by using FXCLI.
- Restore the AD CS server.
To back up the CA database, certificate, and private key, you must use an account that is a CA administrator. On an enterprise CA, the default configuration for CA administrators includes the local Administrators group, the Enterprise Admins group, and the Domain Admins group. On a standalone CA, the default configuration for CA administrators includes the local Administrators group.
The following steps use the CA snap-in tool to back up the CA database and private key. If you prefer to complete these steps by using Powershell or Certutil.exe, see the following Microsoft knowledge base article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)
Choose a backup location and attach media, if necessary.
Log on to the source CA.
Open the Certification Authority snap-in.
Right-click the node with the CA name, select All Tasks, and then select Back Up CA.
In the Welcome window of the CA Backup wizard, select [ Next ].
In the Items to Back Up window, select the Private key and CA certificate and Certificate database and certificate database log check boxes, specify the backup location, and then select [ Next ].
In the Select a Password window, type a password to protect the CA private key, and select [ Next ].
In the Completing the Backup Wizard, select [ Finish ].
After the backup completes, verify the following files in the location you specified:
- CAName.p12, which contains the CA certificate and private key.
- The database folder containing files certbkxp.dat, edb#####.log, and CAName.edb.
Open a command prompt window, and type net stop certsvc to stop the AD CS service.
You should stop the service to prevent the issuance of additional certificates. If the source CA issues certificates after a database backup completes, repeat the CA database backup procedure to ensure the database backup contains all issued certificates.
Copy all backup files to a location that is accessible from the destination server, such as a network share or removable media.
In Server Manager, select the Manage button in the top menu, then select [ Remove Roles and Features ].
In the Before you begin section of the the Remove Roles and Features Wizard, select [ Next ].
In the Select destination server window, leave the default option selected and select [ Next ].
In the Remove server roles window, select the Active Directory Certificate Services role.
When prompted, select [ Remove Features ].
Select [ Next ] until you reach the Confirmation page, and then select [ Remove ].
After the removal process completes, close the window and restart the server to finish removing the features.
In this section, the HSM CLI application will be used to import the private key that was backed up from AD CS.
First, run the following command to connect to the HSM via USB (Note: The computer that is running HSM CLI must be directly connected to front USB port of the HSM.)
Then, log in with the default Admin identities.
The login user command prompts for the username and password. You must run it twice to log in with both default Admin identities.
Now, run the following command to import the private key of the CA into an available key slot on the HSM.
If the import succeeded, when you run the keytable reload command you see the private key in the slot that was designated as shown in the following example:
This section shows you how to restore the AD CS server by performing the following tasks:
- Import the CA certificate.
- Re-add the CA role service.
- Restore the CA database and configuration.
The first section of this appendix backs up the CA certificate to a PKCS #12 (PFX) file, containing both the certificate and the private key. Because the private key should no longer exist in AD CS (being stored on the HSM), this example uses OpenSSL to extract only the certificate from the PKCS #12 file before importing the CA certificate back into Windows.
You must install OpenSSL for Windows before performing this procedure.
Open PowerShell and run the following OpenSSL command to extract only the CA certificate from the PKCS #12 backup file:
The CA certificate is output to the file name specified in the -out flag.
Start the Certificates snap-in for the local computer account.
In the console tree, double-click Certificates (Local Computer) and select Personal.
On the Action menu, select All Tasks and select Import to open the Certificate Import Wizard. Select [ Next ].
Locate the <CAName>.pem file that was output from the OpenSSL command in the first step, and select [ Open ].
Select Place all certificates in the following store.
Verify Personal displays in the Certificate store. If you don't see it, select Browse, select Personal, then select [ OK ].
In the console tree, double-click Personal Certificates and select the imported CA certificate.
On the Action menu, select [ Open ]. Go to the Details tab, copy the serial number to the Clipboard, and select [ OK ].
Open a command prompt, type certutil -store My "{Serialnumber}, and then press ENTER.
Copy the value in the Unique container name field from the output of the preceding command to the clipboard.
Run the following command to delete the private key's original association with the CA certificate (from when it was stored in software):
Run the following command to associate the CA certificate with the private key now stored on the HSM:
Specify the same certificate serial number here that was specified in step 10.
In the console tree, select Roles.
On the Action menu, select Add Roles.
In the Before you Begin window, select [ Next ].
In the Select Server Roles window, select the Active Directory Certificate Services checkbox and select [ Next ].
In the Introduction to AD CS window, select [ Next ].
In the Role Services window, select the Certificate Authority checkbox and select [ Next ].
In the Specify Setup Type window, specify either Enterprise or Standalone, to match the source CA. Then, select [ Next ].
In the Specify CA Type window, specify either Root CA or Subordinate CA to match the source CA. Then, select [ Next ].
In the Set Up Private Key window, select Use existing private key and Select a certificate and use its associated private key.
In the Certificates list, select the imported CA certificate and select [ Next ].
In the CA Database window, specify the locations for the CA database and log files. Select [ Next ].
In the Confirmation window, review the messages and select [ Configure ].
After you reinstall the CA role service, perform the following steps, which use the CA snap-in tool to restore the CA database and configuration:
Start the Certification Authority snap-in.
Right-click the node with the CA name, select All Tasks, and then select Restore CA.
In the Welcome window, select [ Next ].
In the Items to Restore window, select Certificate database and certificate database log.
Select [ Browse ]. Go to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).
Do not select the Database folder. Select its parent folder.
Select [ Next ] and then [ Finish ].
Select [ Yes ] to start the CA service (certsvc).