I need some guidance on migrating PKI servers for a client to Windows Server 2025, specifically in a hospital environment where the infrastructure is critical. While I've gathered the necessary steps from various resources and Microsoft documentation, my team and I are quite inexperienced with CA services, and we can't test our approach due to budget limitations. I'm outlining our migration plan which includes careful checks to ensure that everything goes smoothly, primarily focusing on the Root Certification Authority and a domain-joined CA server. If anyone has experience with this type of migration, I'd appreciate your feedback or any tips you might have before we proceed!
3 Answers
Your migration steps look good! But there's no need to rename the new CA servers to match the old ones. You can adjust the registry settings you export instead. Just keep an eye on DNS records if the CRL is published via the web, especially on the domain-joined CA. Be aware of your database paths too, as I ran into issues when the client had moved their databases to a non-default location.
Thanks for the tip! I'll be careful with the paths and ensure I have those details down before migration.
Consider hardening the CA with a tool like Locksmith, which could help secure the migration process further. You can find it on GitHub.
Thank you for the suggestion! I’ll check it out after the migration.
You're right to be cautious here, especially since the CA is critical in a hospital setup. Your plan looks mostly good, but I’d suggest treating the offline root and the issuing CA as separate migrations with distinct checklists. The risks primarily with the root relate to losing keys or issues with CDP/AIA locations. Here are a few pointers:
1. Make sure to document all CDP and AIA locations and ensure they resolve post-migration.
2. Try restoring the CA database and registry to a test instance first to confirm it works correctly.
3. Check permissions on the config containers in AD, so the new server account can publish CRLs.
4. After migration, run some tests to ensure everything like auto-enrollment and revocation is functioning properly.
Thanks for your input! I’m adding those steps to our process and will ensure we have sufficient time between migrations to verify functionality. The suggestion to test with a different name first is really helpful!
Could you share the name of the tool you mentioned? It sounds really useful for ensuring we don’t miss anything!
Great advice! I’ll definitely clarify the naming issue on my checklist and check that article you linked.