Migrate an ADCS instance to Certdog
Applies to Certdog Version 1.5+
An existing ADCS instance (Microsoft CA) can be migrated to Certdog. This can include the existing CA keys and all issued certificates
You may choose to do this for reasons such as:
-
To replace your Microsoft CA in order to make the issuance and management of your certificates simpler
-
To host multiple CAs on the same instance of Certdog without having to maintain individual servers for each CA
-
You wish to decommission an existing Microsoft CA but want to maintain a fall back as well as the ability to keep producing CRLs
-
As a backup for an existing Microsoft CA
Migration can be achieved by following a few simple steps:
- Migrate the CA key and certificate to Certdog
- Import the issued certificates from the Microsoft CA database
- Configure Certdog to operate in the same way as the Microsoft CA (CRL generation periods etc.)
Step 1: Import the CA Certificate and CA Keys
If the CA to be imported is not a Root CA then the Root CA Certificate (and any other issuing CA Certificates) must be imported first, as follows:
In Certdog, select Certificates from the menu
Click the Import Certificate button and import the Root Certificate and any other Issuing CA certificates of the CA to be imported
Next we need to import the CA keys and certificate
Software Keys
Export the CA keys as a PFX and import into Certdog following the guide here
If your keys are not marked as exportable, see the guide here or contact support for options
HSM Stored Keys
If your keys are stored on an EnTrust nCipher HSM, we first need to re-target the keys (from the Microsoft format - CSP/CNG to the certdog format - PKCS11) as described here
Configure a PKCS#11 key store to reference the HSM. Follow the steps here to create the key store
Obtain the CA certificate (from the section above) as a PEM formatted file (e.g. ca.cer) as we will need this for the next steps
Open a PowerShell window as Administrator, navigate to your [certdog install]\bin folder
Import the certdog powershell module, as follows:
PS C:\certdog\bin> Import-Module .\certdog-module.psm1
Login with an admin account:
PS C:\certdog\bin> login
Username: certdogadmin
Password: *************
Attempting login at: https://cd1.krestfield.io/certdog/api
Authenticated OK
PS C:\certdog\bin>
List the available key stores
PS C:\certdog\bin> Get-KeyStores | Format-Table -Property id, name, keyStoreType
id name keyStoreType
-- ---- ------------
613216278e7ff6189decc909 Software 1 SOFTWARE
616f205944736e513d32fb34 PKCS11 PKCS11
And note the id of the one you created above. i.e. the key store that references the same HSM as the Microsoft CA (e.g. 616f205944736e513d32fb34)
Now we will import the CAs keys into certdog. We need to provide a name for this new CA, the CA certificate (ca.cer) and the key store id we obtained from the step above. E.g.
PS C:\certdog\bin> Import-LocalCAKeyFromKeyStore -name "Krestfield CA1" -caCertFilename ca.cer -keyStoreId 616f20d044736e513d32fb38
The created CA details will then be displayed
If you see an error such as:
There was an error importing the private key for certificate Krestfield CA1. No key found that matches certificate. Tried 2 private keys
This indicates that either
- The Key Store configured is not the same Key Store/HSM on which the CA keys reside
- The CA Key has not been migrated. Follow the guide here to do this
- The Key does not reside on this HSM or Security World. If you are performing this on a new server to which you have copied the Security World, check all files in the
Key Management Data\localfolder are present (have been copied from the old server)
Step 2: Import the CA database
We need to extract the certificates from the Microsoft database and then imported into Certdog. This ensures that all previously issued certificates and their status (whether revoked or active) will be available in Certdog
Follow the instructions here on how to export and import the CA database
Step 3: Complete the Configuration
The following information needs to be configured in your newly imported CA:
-
AIA OCSP Locations
-
AIA Issuer Cert Locations
-
CRL Distribution Points
-
The CRL lifetime and generation period
To obtain this information, from your Microsoft CA snapin, right click the CA name and select Properties
Select the Extensions tab
For the CRL Distribution Point (CDP) extension, note the http and file locations of all entries where the
Include in the CDP extension of issued certificates
option is ticked
For the Authority Information Access (AIA) extension note all entries where the following options are ticked
Include in the AIA extension of issued certificates
Include in the online certificate status protocol (OCSP) extension
From Certdog, locate your imported Local CA by navigating to Local CAs > CA Configuration from the menu, then clicking your CA and click View/Edit
For each of the Include in the online certificate status protocol (OCSP) extension items add an entry for AIA OCSP Locations. Remember to comma separate each entry e.g. http://server1.com/ocsp,http://server2.com/ocsp
For each of the Include in the AIA extension of issued certificates items add an entry for AIA Issuer Cert Locations. Remember to comma separate each entry
If you have any entries for Include in the CDP extension of issued certificates then check the Generate CRLs option. For each of the Include in the CDP extension of issued certificates items add an entry for CRL Distribution Points, Again, remembering to separate each entry with a comma (if there are multiple)
For the CRL Filename, ensure that the filename matches that from the CDP extension
From your Microsoft CA, click the Revoked Certificates folder and note the CRL Publication Interval. Set this to be the CRL Lifetime in Certdog
Set the CRL Generation Period to be a value less than this period. This could be 10% less or more to ensure there is adequate overlap of when a new CRL will be available before the old CRL expires
Once all configuration is complete. Click Update to apply the settings