From: Peter Sawatzki 

Geo,

you might add the following link/info - notice I had to modify 1. and 7. to
make it work for me:

How to move a certification authority to another server
//1. Back up the CA cryptographic keys and database to a central
location. This step can create a file that is named CA_Name.P12 (a password
protected file) that contains the private key of the CA, and a folder that
is named Database that holds the CA database and log files. 1. Back up the
CA cryptographic keys, stop CA and copy system32/cert and system32/certlog
to a safe place
2. Back up the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\CertSvc\Configuration\CA Name 3. Shut down the
first server. (You must do this before you rename the new server.)
4. Disconnect the old server from the network, either by removing the
network tap or by disabling all the active network interfaces. 5. Install
Certificate Services on the new server. When you select the type of CA to
install, click to select the Advance Install check box. 6. Click the
CA_Name.P12 file from the central location, and then continue with the CA
Setup. The CA log and database file paths must be the same on the new
server as they had been on the outdated server. When you have installed
Certificate Services, the new CA is going to be cryptographically the same
as the outdated CA.
//7. Start the CA Microsoft Management Console (MMC) snap-in, and then
restore the backup (to restore the database and log files). 7. copy
System32\Cert und System32\CertLog to new server 8. Restore the backed up
registry key. 9. After you verify the functionality of the new server, you
can safely remove Certificate Services from the outdated server. The CA
cryptographic keys must be deleted before you remove Certificate Services.
Start the Command Prompt and follow these steps:
  a. Type certutil -shutdown to stop Certificate Services.
  b. Type certutil -key to list the cryptographic keys installed on the
server. In the list of keys, one entry is the name of the Certificate Authority.
  c. Type certutil -delkey CA Name. If the name of the Certificate
Authority contains spaces, enclose the CA name in quotation marks.
  d. Certificate Services can now be safely removed from the server.

(http://support.microsoft.com/default.aspx?scid=kb;en-us;298138)


In article , georger{at}nls.net says...
> Cool, I haven't messed much with doing that sort of thing but I'm going to
> copy that on my nthelp website because there are probably a bunch of folks
> who would find it useful.
>
> Geo.
>
> "Peter Sawatzki"  wrote in message
> news:MPG.1c41f3dfd128b2cd989742{at}news.barkto.com...
> > Geo,
> >
> > I have asked here some time ago about how to move our Win2003 AD
> > Controller with Enterprise Certificte Authority to new hardware and
> > whether using a backup/restore of the whole system is the only option
> > for doing this. Because doing the restore on the new system was
> > problematic, I tried a different approach successfully and this seems to
> > me the cleaner method. Here is how I did it:
> >
> >  - export private key of Certificate Authority of MYDC system using MMC
> >  - transfer FSMOs of MYDC system to a spare DC
> >  - stop CA, copy system32/Cert and system32/certlog to some share
> >  - make MYDC a normal Win2003 server using dcpromo
> >  - rename MYDC to OLDDC
> >  - rename NEW system to MYDC
> >  - dcpromo MYDC
> >  - install certificate authority, do not generate a private key but use
> > the one exported in the first step
> >  - stop CA, copy system32/cert and system32/certlog to MYDC, start CA
> >  - transfer FSMOs to MYDC
> >
> > Peter
>
>
>

--- BBBS/NT v4.01 Flag-5