Certificate Authority
Microsoft ADCS
Appendix: Migrate an existing CA key from software storage to the KMES
11 min
this section shows you how to perform the following tasks to migrate a ca key to the {{k3}} back up the ca database, ca certificate, and private key on the ad cs server remove the ca role service from the ad cs server import the private key into the {{k3}} by using fxcli restore the ad cs server back up the ca database, ca certificate, and private key to back up the ca database, certificate, and private key on the ad cs server, you must use an account that is a ca administrator on an enterprise ca, the default configuration for ca administrators includes the local administrators group, the enterprise admins group, and the domain admins group on a standalone ca, the default configuration for ca administrators includes the local administrators group the following steps use the ca snap in tool to back up the ca database and private key if you prefer to complete these steps by using powershell or certutil exe , see the following microsoft knowledge base article https //docs microsoft com/en us/previous versions/windows/it pro/windows server 2012 r2 and 2012/dn486805(v=ws 11) https //docs microsoft com/en us/previous versions/windows/it pro/windows server 2012 r2 and 2012/dn486805(v=ws 11) choose a backup location and attach media, if necessary log on to the source ca open the certification authority snap in right click the node with the ca name, select all tasks , and then select back up ca in the welcome window of the ca backup wizard , select \[ next ] in the items to back up window, select the private key and ca certificate and certificate database and certificate database log check boxes, specify the backup location, and then select \[ next ] in the select a password window, type a password to protect the ca private key and select \[ next ] in the completing the backup wizard , select \[ finish ] after the backup completes, verify the following files in the location you specified caname p12 , which contains the ca certificate and private key the database folder contains the certbkxp dat , edb##### log , and caname edb files open a command prompt window and enter net stop certsvc to stop the ad cs service you should stop the service to prevent the issuance of additional certificates if the source ca issues certificates after a database backup completes, repeat the ca database backup procedure to ensure the database backup contains all issued certificates copy all backup files to a location that is accessible from the destination server, such as a network share or removable media remove the ca role service perform the following steps to remove the ca role service from the ad cs server in server manager , select \[ manage ] in the top menu and select \[ remove roles and features ] in the before you begin section of the remove roles and features wizard , select \[ next ] in the select destination server window, leave the default option selected and select \[ next ] in the remove server roles window, select the active directory certificate services role when prompted, select \[ remove features ] select \[ next ] until you reach the confirmation page, and then select \[ remove ] after the removal process completes, close the window and restart the server to finish removing the features import the private key into the {{k3}} this section shows you how to create a new empty certificate container in the {{k}} application interface and then use the fxcli kmes application to import the private key that you backed up from ad cs the following example connects to the system/host api port of the {{k}} anonymously be sure to select the allow anonymous connections checkbox for the system/host api connection pair before trying to connect create a new certificate container perform the following steps to create a new certificate container on the {{k}} log in to the {{k}} application interface with the default admin identities go to pki > certificate authorities and select \[ add ca ] specify a name for the certificate container and select \[ ok ] right click the newly created certificate container and select \[ permission ] grant the microsoft adcs role the use permission select \[ ok ] to save import the private key perform the following steps to import the microsoft adcs ca private key into the {{k}} by using fxcli you must import the microsoft adcs ca private key into the {{k}} as a pkcs #12 file this imports both the private key and the certificate as a bundle, but microsoft adcs uses only the private key for operations run the fxcli kmes program to enter the {{futurex}} command line interface, as shown in the following example $ /fxcli kmes fxcl command line interface version 1 8 12 modify the fxcli tls configuration file as shown in the following sample to connect anonymously fxcli tls config anonymous=true result status success statuscode 0 tlsconfig anonymous true enabled true verifydepth 0 weakdigests false run the following command to connect to the {{k3}} fxcli connect c \<kmes ip> 2001 run the following command twice to log in with the two default admin identities and provide a username and password for each identity fxcli login user run the following command to import the private key of the ca into the {{k}} fxcli pkcs12 import tree "microsoft adcs" file c \futurex\windows server ca p12 password safest label "adcs demo" win system dacl specify the name of the certificate container you created on the {{k}} with the tree flag restore the ad cs server this section shows you how to restore the ad cs server by performing the following tasks import the ca certificate re add the ca role service restore the ca database and configuration import the ca certificate perform the following steps to import the ca certificate start the certificates snap in for the local computer account in the console tree, double click certificates (local computer) and select personal on the action menu, select all tasks and select import to open the certificate import wizard select \[ next ] locate the \<caname> p12 file created by the ca certificate and private key backup and select \[ open ] type the password and select \[ ok ] select place all certificates in the following store verify personal displays in the certificate store if you don't see it, select browse , select personal , and then select \[ ok ] the imported ca certificate file was in pkcs #12 format, containing both the certificate and the private key however, the private key should not exist in ad cs because it is stored on the hsm the following steps delete both the private key and its association with the ca certificate in the console tree, double click personal certificates and select the imported ca certificate on the action menu, select \[ open ] go to the details tab, copy the serial number to the clipboard, and select \[ ok ] open a command prompt, type certutil store my "{serialnumber}" , and then press enter from the output of the preceding command, copy the value that is in the unique container name field to the clipboard run the following command to delete the private key association with the ca certificate certutil delkey csp ksp "{key container}" run the following command to delete the private key certutil delkey csp ksp "{key name}" the key name value is the same as the certificate name, as shown in the certificates snap in menu finally, associate the private key now stored on the hsm with the ca certificate stored in ad cs run the following command to repair the association between the imported ca certificate and the private key stored in the hsm certutil repairstore csp "futurex fxcl kmes cng" my "2545a152bd9befa84b967ee57d3b6faf" re add the ca role service perform the following steps to re add the ca role service by using the server manager in the console tree, select roles on the action menu, select add roles in the before you begin window, select \[ next ] in the select server roles window, select the active directory certificate services checkbox and select \[ next ] in the introduction to ad cs window, select \[ next ] in the role services window, select the certificate authority checkbox and select \[ next ] in the specify setup type window, specify either enterprise or standalone , to match the source ca then select \[ next ] in the specify ca type window, specify either root ca or subordinate ca to match the source ca then, select \[ next ] in the set up private key window, select use existing private key and select a certificate and use its associated private key in the certificates list, select the imported ca certificate and select \[ next ] in the ca database window, specify the locations for the ca database and log files select \[ next ] in the confirmation window, review the messages and select \[ configure ] restore the ca database and configuration after you reinstall the ca role service, perform the following steps, which use the ca snap in tool to restore the ca database and configuration start the certification authority snap in right click the node with the ca name, select all tasks , and then select restore ca in the welcome window, select \[ next ] in the items to restore window, select certificate database and certificate database log select \[ browse ] navigate to the parent folder that holds the database folder (the folder that contains the ca database files created during the ca database backup) do not select the database folder select its parent folder select \[ next ] and then \[ finish ] select \[ yes ] to start the ca service ( certsvc )