- HOW TO UPDATE CA CERTIFICATES WINDOWS 2011 SBS 2011 SOFTWARE
- HOW TO UPDATE CA CERTIFICATES WINDOWS 2011 SBS 2011 WINDOWS
Subject: CN=CorpSubCA, DC=Contoso, DC=comĬertificate Template Name (Certificate Type): SubCA Issuer: CN=CorpRootCA, DC=Contoso, DC=com In a Command Prompt window, get the details of your CA certificates, by using the following command that you output to a file so that you can more easily make a note of the values for Cert Hash and Key Container, which you will need later: Certutil –store my >output.txtįor example, if you run Certutil –store my "CorpSubCA" >output.txt and then open the output.txt file, you will see output similar to the following for each CA certificate that you have (you will have more than 1 CA certificate if it’s been renewed):
HOW TO UPDATE CA CERTIFICATES WINDOWS 2011 SBS 2011 WINDOWS
In a Windows PowerShell session running with the Run as administrator option, run the following command to stop the CA service: Stop-service certsvc Do not select the option to perform an incremental backup.įor all server versions: Then, in a Command Prompt window, run the following command to back up the CA registry settings: reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc c:\\CAregistry.reg Choose the options to back up the private key and CA certificate, and certificate database and certificate database log. then choose All Tasks > Back Up CA and then follow the prompts in the wizard. If you prefer to use the Windows interface rather than these commands, from the Certification Authority console, right-click your CA. For example: Certutil –backup C:\CA-Backup For example: Backup-CARoleService –path C:\CA-Backup -Password (Read-Host -Prompt "Enter Password" -AsSecureString)įor Windows Server 2012: First, open a command window, and then run the Certutil command with the backup option. How to migrate a CA from a CSP to a KSP and optionally, from SHA-1 to SHA-2ĭo these steps on the existing enterprise or standalone CA.įor Windows Server 2012 R2: First, open a Windows PowerShell window with the Run as administrator option, and then use the Backup-CARoleService cmdlet. On a standalone CA, the default configuration for CA administrators includes the local Administrators group. On an enterprise CA, the default configuration for CA administrators includes the local Administrators group, the Enterprise Admins group, and the Domain Admins group. For example, this will be the case if you use a Hardware Security Module (HSM) to protect your CA key.įor all these procedures, you must use an account that is a CA administrator.
HOW TO UPDATE CA CERTIFICATES WINDOWS 2011 SBS 2011 SOFTWARE
If you use a CSP or KSP from another software or hardware vendor, contact the relevant vendor for the equivalent instructions. If your CA is running an earlier version of Windows Server, migrate to Windows Server 2012 or Windows Server 2012 R2 and then follow these instructions. Use these instructions for a software Cryptographic Service Provider (CSP) and software Key Storage Provider (KSP) that ships with Windows Server for the versions that are listed in the Applies To list at the top of this topic. For more information about Cryptography Next Generation, see Cryptography Next Generation.Īfter the migration, you can then reconfigure the CA to issue certificates by using the SHA-2 hash algorithm rather than the less secure hash algorithm of SHA-1.
0 kommentar(er)
