Moving the Certificate Services Database

What is Certificate Services?

A certificate server (sometimes called a Certificate Authority or CA) generates public key certificates for installation on secure web servers. A secure web server presents its certificate to visiting web browsers to prove the identity of the web server to the satisfaction of web browser. Certificates are used to encrypt the Secure Socket Layer (SSL) protocol for transmitting sensitive information such as credit card numbers. SSL runs under the HTTPS (HTTP Secure) protocol to access secure URLs such as https://secure.site.com.

Certificates are based on a “chain of trust” from the web server up to the CA. The web server presents a certificate that has been signed by the CA. The web browser compares the signature with the CA certificate previously installed in the web browser. This proves the identity of the web server to the web browser.

To create a public secure web server on the Internet, you must purchase a web-server certificate that is signed by a trusted third-party public CA such as VeriSign. Microsoft pre-installs into Windows the trusted root certificates for public CAs such as VeriSign.

For internal use your enterprise might want to act as a private CA. A private CA can sign its own certificates, for example to create internal secure web servers (not on the Internet). Microsoft's Certificate Services is designed primarily for private use. It is not meant to be used to create a public certificate for a web server on the Internet.

To generate private SSL certificates your enterprise can use Microsoft's Certificate Services to act as the private CA for your organization. Certificate Services is typically installed on only one server for the entire organization.

Computer name and other information is not important

When you install Certificate Services you will see a warning message that warns you not to change the name of the computer. You can safely ignore this warning message. UMove will copy all information needed to move Certificate Services to the new computer. This includes the computer name, the Certificate Services database (C:\Windows\System32\certsrv\*), and all required encryption keys.

To move the Certificate Services database you must first install Certificate Services on the destination computer. (UMove will remind you if you forget.) The Microsoft installer for Certificate Services will ask you several questions. For example you will be asked the name of your organization. For each question type in a dummy answer and click Next. The answers are not important because UMove will copy all of the CA information from the source computer, overwriting all of your answers.

Manual copy of CA is incomplete

The Microsoft Knowledge Base article KB283193 describes how to manually copy the Certificate Services database. However the article omits copying of the enterprise private key. The private key is required to encrypt certificates for web servers.

To work around this problem, UMove will automatically copy all information needed to move the entire Certificate Services database to the destination computer. This includes the CA database and the enterprise private key.

How to Move the Certificate Services Database