Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 21, 2018 8:51 PM
We recently migrated our Windows Server 2008 R2 CA to a new server running Windows Server 2016. We also have a different 2008 R2 server running the Online Responder portion of the certificate services role that we need to migrate to a new 2016 server as well. The new server will keep the same DNS name and IP. What is the procedure to migrate the online responder to the new 2016 server? What all needs to be backed up and migrated? I have looked for information on that but haven't found anything.
Thanks.
All replies (1)
Thursday, June 21, 2018 9:00 PM
There is no such procedure apart from uninstall -> install new. This will require all revocation configuration rebuilding.
If you can change OCSP server name (the URL included in the issued certificates SHALL NOT rely on actual host names), then you can do the following:
1) install OCSP role
2) join it into existing OCSP server array. Propagate revocation configuration from existing array controller
3) promote new OCSP server as array controller
4) decommission old OCSP
It is similar to replacing domain controllers: add new, replicate, remove old.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.