CA – 如何沿用之前的 pfx key 去重建 Root Ent CA


1. 使用 AdsiEdit.msc 工具去把 AD 裡的 CA 相關資料刪除,詳細步驟請參考下面的 "Cleanup the original CA information from Active Directory"

2. Site 裡的 DC 進行立即同步複寫

3. 安裝新的伺服器,伺服器名稱 "必須" 跟之前的 CA 一模一樣,加入網域

4. 安裝CA 原件,詳細步驟請參考下面的 "To restore the root CA"

To restore the root CA


If you have the backup of the original root CA certificate and the private key, we can rebuild the root CA using the original root CA certificate.

To do that, please perform the following steps:

1. Rebuild the server with the same computer name and IP address. Open add/remove program to install the certificate service again.

2. On the Windows Components Wizard, select the check box of the certificate services and click next.

3. Select stand-alone Root CA radio box on the CA type dialog box, make sure you select the "use custom settings to generate the key pair and CA certificate" check box and click next.

4. On the public and private key pair dialog box, select "use an existing key" check box. Click the import button to import the original private key (.pfx file).

After the key is listed, click it, make sure "use the certificate associated with this key" check box is selected and click next.

5. On the CA Identifying Information dialog box, type the name of the root CA the same as the original one and click next. Follow the wizard to install the certificate service.

6. Use NT backup to backup the system status. The certificate service and the CA database will be backed up.

Cleanup the original CA information from Active Directory


When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory. These objects are the following:

  - certificateAuthority object

    Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain. 

    Contains the CA certificate for the CA. 

    Published Authority Information Access (AIA) location. 

  - crlDistributionPoint object

    Located in CN= ServerName ,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=ForestRootDomain. 

    Contains the CRL periodically published by the CA. 

    Published CRL Distribution Point (CDP) location.

  - certificationAuthority object

    Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain. 

    Contains the CA certificate for the CA. 

  - pKIEnrollmentService object

    Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain. 

    Created by the enterprise CA. 

    Contains information about the types of certificates the CA has been configured to issue. Permissions on this object can control which security principals can enroll against this CA.

1. Please use the ADSIEDIT.msc from Windows Support Tools to remove all references to the crashed CA. Please pay attention to this operation as you only need to remove the CA references but NOT the containers themselves.

2. When you finish the above operation, please force the Active Directory replication to occur among your domain controllers to ensure the cleanup operation is replicated properly.

Comments (0)

Skip to main content