Appendix: Migrate an existing CA key from software storage to the KMES

11min
This section shows you how to perform the following tasks to migrate a CA key to the KMES Series 3:
Back up the CA database, CA certificate, and private key on the AD CS server.
Remove the CA role service from the AD CS server.
Import the private key into the KMES Series 3 by using FXCLI.
Restore the AD CS server.
Back up the CA database, CA certificate, and private key on the AD CS server
To back up the CA database, certificate, and private key, you must use an account that is a CA administrator. On an enterprise CA, the default configuration for CA administrators includes the local Administrators group, the Enterprise Admins group, and the Domain Admins group. On a standalone CA, the default configuration for CA administrators includes the local Administrators group.
The following steps use the CA snap-in tool to back up the CA database and private key. If you prefer to complete these steps by using Powershell or Certutil.exe, see the following Microsoft knowledge base article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)﻿
1
Choose a backup location and attach media, if necessary.
2
Log on to the source CA.
3
Open the Certification Authority snap-in.
4
Right-click the node with the CA name, select All Tasks, and then select Back Up CA.
5
In the Welcome window of the CA Backup wizard, select [ Next ].
6
In the Items to Back Up window, select the Private key and CA certificate and Certificate database and certificate database log check boxes, specify the backup location, and then select [ Next ].
7
In the Select a Password window, type a password to protect the CA private key, and select [ Next ].
8
In the Completing the Backup Wizard, select [ Finish ].
9
After the backup completes, verify the following files in the location you specified:
CAName.p12, which contains the CA certificate and private key.
The database folder containing files certbkxp.dat, edb#####.log, and CAName.edb.
10
Open a command prompt window, and type net stop certsvc to stop the AD CS service.
You should stop the service to prevent the issuance of additional certificates. If the source CA issues certificates after a database backup completes, repeat the CA database backup procedure to ensure the database backup contains all issued certificates.
11
Copy all backup files to a location that is accessible from the destination server, such as a network share or removable media.
Remove the CA role service from the AD CS server
1
In Server Manager, select the Manage button in the top menu, then select [ Remove Roles and Features ].
2
In the Before you begin section of the the Remove Roles and Features Wizard, select [ Next ].
3
In the Select destination server window, leave the default option selected and select [ Next ].
4
In the Remove server roles window, select the Active Directory Certificate Services role.
5
When prompted, select [ Remove Features ].
6
Select [ Next ] until you reach the Confirmation page, and then select [ Remove ].
7
After the removal process completes, close the window and restart the server to finish removing the features.
Import the private key into the KMES Series 3
This section shows you how to create a new empty certificate container in the KMES application interface and then use the fxcli-kmes application to import the private key that you backed up from AD CS.
The following example connects to the System/Host API port of the KMES anonymously. Be sure to select the Allow Anonymous Connections checkbox for the System/Host API connection pair before attempting to connect.
Create a new certificate container on the KMES
1
Log in to the KMES application interface with the default Admin identities.
2
Go to PKI > Certificate Authorities and select [ Add CA ].
3
Specify a name for the certificate container and select [ OK ].
4
Right-click the newly created certificate container and select [ Permission ].
5
Grant the Microsoft ADCS role the Use permission. Select [ OK ] to save.
Import the Microsoft ADCS CA private key into the KMES by using FXCLI
You must import the Microsoft ADCS CA private key into the KMES as a PKCS #12 file. This imports both the private key and the certificate as a bundle, but Microsoft ADCS uses only the private key for operations.
1
Run the fxcli-kmes program to enter the Futurex Command Line Interface, as shown in the following example:
PowerShell
$ ./fxcli-kmes
FxCL Command Line Interface: Version 1.8.12
$ ./fxcli-kmes
FxCL Command Line Interface: Version 1.8.12
﻿
2
Modify the FXCLI TLS configuration file as shown in the following sample to connect anonymously:
FXCLI
tls config --anonymous=true
result:
    status: success
    statusCode: 0
tlsConfig:
    anonymous: true
    enabled: true
    verifyDepth: 0
    weakDigests: false
tls config --anonymous=true
result:
    status: success
    statusCode: 0
tlsConfig:
    anonymous: true
    enabled: true
    verifyDepth: 0
    weakDigests: false
﻿
3
Run the following command to connect to the KMES Series 3:
FXCLI
connect -c <KMES_IP>:2001
connect -c <KMES_IP>:2001
﻿
4
Run the following command twice to log in with the two default Admin identities and provide username and password for each identity:
FXCLI
login user
login user
﻿
5
Run the following command to import the private key of the CA into the KMES:
FXCLI
pkcs12 import --tree "Microsoft ADCS" --file C:\Futurex\WINDOWS-SERVER--CA.p12 --password safest --label "ADCS Demo" --win-system-dacl
pkcs12 import --tree "Microsoft ADCS" --file C:\Futurex\WINDOWS-SERVER--CA.p12 --password safest --label "ADCS Demo" --win-system-dacl
﻿
Specify the name of the certificate container you created on the KMES with the --tree flag.
Restore the AD CS server
This section shows you how to restore the AD CS server by performing the following tasks:
Import the CA certificate.
Re-add the CA role service.
Restore the CA database and configuration.
Import the CA certificate
1
Start the Certificates snap-in for the local computer account.
2
In the console tree, double-click Certificates (Local Computer) and select Personal.
3
On the Action menu, select All Tasks and select Import to open the Certificate Import Wizard. Select [ Next ].
4
Locate the <CAName>.p12 file created by the CA certificate and private key backup and select [ Open ].
5
Type the password and select [ OK ].
6
Select Place all certificates in the following store.
7
Verify Personal displays in the Certificate store. If you don't see it, select Browse, select Personal, then select [ OK ].
The imported CA certificate file was in PKCS #12 format, containing both the certificate and the private key. However, the private key should not exist in AD CS because it is stored on the HSM. The following steps delete both the private key and its association with the CA certificate.
8
In the console tree, double-click Personal Certificates and select the imported CA certificate. 
9
On the Action menu, select [ Open ]. Go to the Details tab, copy the serial number to the Clipboard, and select [ OK ].
10
Open a command prompt, type certutil -store My "{Serialnumber}, and then press ENTER.
11
From the output of the preceding command, copy the value that is in the Unique container name field to the clipboard.
12
Run the following command to delete the private key association with the CA certificate:
PowerShell
certutil -delkey -csp ksp "{Key Container}"
certutil -delkey -csp ksp "{Key Container}"
﻿
13
Run the following command to delete the private key:
PowerShell
certutil -delkey -csp ksp "{Key Name}"
certutil -delkey -csp ksp "{Key Name}"
﻿
The Key Name value is the same as the certificate name as shown in the Certificates snap-in menu.
14
Finally, associate the private key now stored on the HSM with the CA certificate stored in AD CS. Run the following command to repair the association between the imported CA certificate and the private key stored in the HSM:
PowerShell
certutil -repairstore -csp "Futurex CNG" My "2545a152bd9befa84b967ee57d3b6faf"
certutil -repairstore -csp "Futurex CNG" My "2545a152bd9befa84b967ee57d3b6faf"
﻿
Re-add the CA role service by using the server manager
1
In the console tree, select Roles.
2
On the Action menu, select Add Roles.
3
In the Before you Begin window, select [ Next ].
4
In the Select Server Roles window, select the Active Directory Certificate Services checkbox and select [ Next ].
5
In the Introduction to AD CS window, select [ Next ].
6
In the Role Services window, select the Certificate Authority checkbox and select [ Next ].
7
In the Specify Setup Type window, specify either Enterprise or Standalone, to match the source CA. Then select [ Next ].
8
In the Specify CA Type window, specify either Root CA or Subordinate CA to match the source CA. Then, select [ Next ].
9
In the Set Up Private Key window, select Use existing private key and Select a certificate and use its associated private key.
10
In the Certificates list, select the imported CA certificate and select [ Next ].
11
In the CA Database window, specify the locations for the CA database and log files. Select [ Next ].
12
In the Confirmation window, review the messages and select [ Configure ].
Restore the CA database and configuration
After you reinstall the CA role service, perform the following steps, which use the CA snap-in tool to restore the CA database and configuration:
1
Start the Certification Authority snap-in.
2
Right-click the node with the CA name, select All Tasks, and then select Restore CA.
3
In the Welcome window, select [ Next ].
4
In the Items to Restore window, select Certificate database and certificate database log.
5
Select [ Browse ]. Navigate to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).
Do not select the Database folder. Select its parent folder.
6
Select [ Next ] and then [ Finish ].
7
Select [ Yes ] to start the CA service (certsvc).
﻿
Updated 18 Oct 2024
Did this page help you?
Example of AD CS operations with the KMES Series 3
Red Hat Certificate System (RHCS)