MGC Certificate Services and IAS

initially, stuff from the notes….

This is the result of a rather nasty situation we were faced with at MGC.
Its very easy to setup and use MS Certificate Services on your network for all sorts of things. In our case, securing a front-end exchange server’s ssl and peap based wireless clients. There are plenty of online ‘how-tos’ – its a cinch. However, when something goes wrong or has to be changed, and you actually need to understand how MSs PKI works, thats when you enter hell.

The situation at MGC
The server which ran certificate services needed to be decommissioned. Partly due to age, partly due to regular blue-screening. We obviously required minimum downtime, since wireless is used constantly by staff and students and is an essential service. For the same reason, we didn’t want to start from scratch and have to deploy new certificates.

Previous Attempts
Armed with a little knowledge. Previous attempts were made to move the Certificate Services to a new computer. Mainly this involved, setting up a new enterprise certificate server, attempting various types of certificate transfer and shutting down the old one.
Problem #1
Certificate Services can never be moved from the server it was first setup on.
Problem #2
Actually understanding microsoft’s public key infrastructure would take way more time than we have.
Steps to move Certificate Services and IAS to a new server.

old = original cert server
new = new cert server we are making
‘hera’ = name of cert server (substitute your own)
read these microsoft kbs: kb555012, kb298138

    • backup old ‘hera’ using ghost or similar.
    • as per kb298138 at old ‘hera’
    • backup the CA database and the private Key using the CA snap-in
    • the registry settings for the CA
    • put these on the network in a restricted area.
    • install windows server 2003 (r2 if you’ve got it) on the new server.
    • name the new server ‘newhera’
    • don’t join it to the domain yet
    • don’t install certificate services or ias yet
    • copy the i386 folder to c:\
    • uninstall certificate services from old ‘hera’
    • run dcpromo on old ‘hera’ to return it to being a member server.
    • remove old ‘hera’ from domain
    • turn off old ‘hera’
    • remove secret Enterprise Root CA information from Active Directory
    • rename ‘newhera’ to ‘hera’
    • join new ‘hera’ to domain
    • dcpromo new ‘hera’
    • needs to be a domain controller for Certificate Services to be ‘Enterprise’ (I think)
    • install Internet Authentication Service (IAS) aka radius
      • just use the defaults…
    • install Certificate Services
      • When you get to the step “CA Type” take note:
      • if “Enterprise root CA” is already selected, everything is ok, go ahead
      • if its not, windows will let you select it and appear to install your ‘Enterprise root CA” but it wont work! This is because somewhere on your domain, active directory believes there is already an “Enterprise root CA”. You need to go back to the remove secret Enterprise Root CA information” and make sure that all references to the original server have been removed.
      • follow the defaults for installation except
      • choose custom settings to generate the key pair and CA certificate
      • the choose import and browse to where you saved the private key from the old CA
    • run the reg file you created from the old CA to install its settings
    • get the CA snapin up in an MMC
      • click to show the Domain Root CA
      • right-click on it and choose all tasks > restore CA…
      • browse to where you backed up the old CAs database
    • configure IAS
      WP Login