Summary: Thomas Rayner, Microsoft Cloud & Datacenter Management MVP, shows how to back up your Windows certification authority as a part of migrating from CSP to KSP and from SHA-1 to SHA-256.
Hello! I’m Thomas Rayner, a proud Cloud & Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (@MrThomasRayner) or on my blog, Working Sysadmin: Figuring stuff out at work.
I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.
Note This is a five-part series that includes the following posts:
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1
Explore why you may need to perform this work, configure logging, and set up variables.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 2
Back up your certification authority (CA) and test the script.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3
Delete the certificate and crypto provider so they can be rebuilt as a KSP and SHA-256 solution.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4
Import keys and certificate into a KSP.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5
Modify the registry for SHA-256.
Before you do anything else, let’s back up what you’ve already got.
Backing out of this change isn’t going to be desirable, but maybe you want to test it a few times in your lab before running this script we’re writing. Any way you look at it, backing up is a great idea before you do any significant change. It’s not the worst idea to run this periodically, even when you’re not planning to do any wild and crazy Windows CA work like we are this week.
The first thing we’re doing today is backing up your certificate database and your certificate. This might be a root certificate or an issuing CA certificate, depending on what kind of CA you’re working on but the command is the same.
cmd.exe /c "certutil -p $($Password) -backup $("$Drivename\$Foldername")"
Add-LogEntry $Logpath 'Saved CA database and cert'
The backup command is pretty easy using certutil. I’m specifying the location of where I want the backup with the –backup parameter and giving the password with –p. I’m wrapping my variables in parentheses to help me if I’ve got spaces or weird characters to worry about. Of course, I’m logging this activity by using the logging function I presented yesterday.
There are a bunch of registry settings that are going to get changed when this work is performed, so let’s back those up too:
cmd.exe /c "reg export hklm\system\currentcontrolset\services\certsvc\configuration $("$Drivename\$Foldername")\CA_Registry_Settings.reg /y"
Add-LogEntry $Logpath 'Saved reg keys'
This is a reg.exe command to export the entire configuration key for our certificate service. We’re storing it in our working directory as “CA_Registry_Settings.reg.”
How about your certificate revocation lists (CRLs)? You don’t want to lose those either. Copy anything with a .crl extension in C:\Windows\System32\certsrv\certenroll into the backup folder:
Copy-Item -Path 'C:\Windows\System32\certsrv\certenroll\*.crl' -Destination "$Drivename\$Foldername"
Add-LogEntry $Logpath 'Copied CRL files'
If you’ve got an Enterprise CA with certificate templates, you’ll want to back those up too. If you don’t, this command will return a message reflecting that. There’s no harm leaving it in. I’m going to save the templates in Published_templates.txt in my working directory:
cmd.exe /c 'certutil -catemplates' | Out-File -FilePath "$Drivename\$Foldername\Published_templates.txt"
Add-LogEntry $Logpath 'Got list of published cert templates'
Now we’re backed up. I’m going to wrap the whole thing in a Try/Catch block and add a little more logging information:
Now that we’re backed up, we’re ready to make some real changes to your PKI environment. Upgrading from CSP to KSP and SHA-1 to SHA-256 is a pretty involved process, but we’re ready to get our hands dirty now. Join me tomorrow when I’ll cover safely deleting the existing certificates and keys from your CA.
If you are in a big hurry and want the full script, you can find it on my blog: Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256. I’d sincerely recommend reading all of the posts in this series first, though, so you understand what it is you’re running.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. Also check out my Microsoft Operations Management Suite Blog. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy