Install and restore the Certification Authority for Windows SBS 2011 Essentials migration

(you know that ADCert services we removed before?  Now we’re putting it back after the dcpromo)

 To install the Certification Authority
1.    On the Destination Server, click Start, point to Administrative Tools, and then click Server Manager.
2.    In the Roles Summary section, click Add Roles.
3.    On the Before You Begin page, click Next.
4.    On the Server Roles page, select Active Directory Certificate Services, and then click Next.


5.    On the Introduction to Active Directory Certificate Services page, click Next..
6.    On the Select Role Services page, select Certification Authority, and then click Next.


7.    On the Specify Setup Type page, select Standalone, and then click Next.

(note the screen originally said “Enterprise” so make sure to choose Standalone
8.    On the Specify CA Type page, select Root CA, and then click Next.


9.    On the Set Up Private Key page, select Use existing private key, choose the Select a certificate and use its associated private key option, and then click Next.


10.    On the Select Existing Certificate page, select the <server name>-SERVER-CA certificate (where <server name> is the name of your Source Server), and then click Next.


11.    On the Select Existing Certificate page, click Next.


12.    Confirm your selections, and then click Install.


13.    When the wizard is finished, click Close, and then restart the server.
 To restore the Certification Authority
1.    Click Start, point to Administrative Tools, and then click Certification Authority.


2.    In the Certification Authority console tree, right-click <server name>-SERVER-CA (where <server name> is the name of your Source Server), click All Tasks, and then click Restore CA.


3.    On the Items to Restore page, select the items that you want to restore, and type or browse to C:\CA_Backup. On the Action menu, click All Tasks, and click Restore CA.

And hopefully you remember your password 🙂


4.    Follow the remaining instructions in the Certification Authority Restore Wizard.


 Configure CRL distribution list
1.    Click Start, point to Administrative Tools, and then click Certification Authority.
2.    Right click on the server and click Properties.


3.    Click the Extensions tab.
4.    In the list displayed, click on the entry http://serverDNSname/certenroll/<caname><CRLNAMESUFFIX><DELATACRLALLOWED>.crl and ensure the following options are selected.
•    Include in CRLs. Clients use this to find the Delta CRL location.
•    Include in the CDP extension of issued certificates.


5.    Click Add, and in the location field type http://<ServerShortName>.local/CertEnroll/<CaName><CRLNAMESUFFIX><DELATACRLALLOWED>.crl  (note if your server domain is .lan use that instead)
6.    Click OK.
7.    Click Add, and in the location field type http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELATACRLALLOWED>.crl
8.    Click OK.
9.    Under the Extensions tab, perform the following steps:
a.    Click on the entry http://<ServerShortName>.local/CertEnroll/<CaName><CRLNAMESUFFIX><DELATACRLALLOWED>.crl and ensure the following options are selected:
•    Include in CRLs. Clients use this to find the Delta CRL location.
•    Include in the CDP extension of issued certificates.
b.    Click on the entry http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELATACRLALLOWED>.crl and ensure that the following options are selected:
•    Include in CRLs. Clients use this to find the Delta CRL location.
•    Include in the CDP extension of issued certificates.

 

Comments are closed.