Hello,
To move a CA from a server that is running Windows 2000 Server to a server
that is running Windows Server 2003, you must first upgrade the CA server
that is running Windows 2000 Server to Windows Server 2003. We do not
support moving CA from Windows 2000 to Windows Server 2003.
The following steps are for moving CA to different server with same OS:
Back Up and Restore the Certification Authority Keys and Database
-----------------------------------------------------------------
To back up the CA and restore it to a new server:
1. Back up the CA cryptographic keys and database to a central location.
This step can create a file that is named <CA_Name>.P12 (a password
protected file) that contains the private key of the CA, and a folder that
is named Database that holds the CA database and log files.
2. Back up the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<
CA Name>
3. Shut down the first server. (You must do this before you rename the new
server.)
4. Disconnect the old server from the network, either by removing the
network tap or by disabling all the active network interfaces.
5. Install Certificate Services on the new server. When you select the type
of CA to install, click to select the Advance Install check box.
6. Click the <CA_Name>.P12 file from the central location, and then
continue with the CA Setup. The CA log and database file paths must be the
same on the new server as they had been on the outdated server. When you
have installed Certificate Services, the new CA is going to be
cryptographically the same as the outdated CA.
7. Start the CA Microsoft Management Console (MMC) snap-in, and then
restore the backup (to restore the database and log files).
8. Restore the backed up registry key.
9. After you verify the functionality of the new server, you can safely
remove Certificate Services from the outdated server. The CA cryptographic
keys must be deleted before you remove Certificate Services. Start the
Command Prompt and follow these steps:
a. Type "certutil -shutdown" (without the quotation marks) to stop
Certificate Services.
b. Type "certutil -key" (without the quotation marks) to list the
cryptographic keys installed on the server. In the list of keys, one entry
is the name of the Certificate Authority.
c. Type "certutil -delkey <CA Name>" (without the quotation marks).
If the name of the Certificate Authority contains spaces, enclose the CA
name in quotation marks.
d. Certificate Services can now be safely removed from the server.
NOTE: The database and log-file paths must be the same on both the new and
outdated servers. Also, the new server must have the same name as the
outdated server because the server name information is part of the
Authority Information Access (AIA) and CRL distribution point paths of all
previously issued certificates.
At the other hand, I suggest you just setup a new CA in LAN, issue
certificate on the new Windows Server 2003 CA. Also, keep the old Windows
2000 CA. Because new CA is configured to issue CA, old Windows 2000 CA is
only for certificate revocation, CRL publish. When all the certificate that
issued from this Windows 2000 is expired, you can then disconnect the
Windows 2000 CA.
Reference information:
===============================
How to move a certification authority to another server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298138
Hope it helps.
Have a nice day!
Mike Luo
Microsoft Online Partner Support
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.