AD CS Migration: Verifying the Migration

Applies To: Windows Server 2008 R2, Windows Server 2012

Complete the following procedures to verify the operation of the destination certification authority (CA).

  • Verifying certificate enrollment

  • Verifying CRL publishing

Verifying certificate enrollment

To verify migration to an enterprise CA, complete the procedure Request a Certificate (https://go.microsoft.com/fwlink/?LinkId=179367).

You can start autoenrollment for user certificates by completing the following procedure or by running the following command: certutil.exe -pulse.

To verify autoenrollment

  1. Log on to a domain member computer by using an account that has Autoenroll, Enroll, and Read permissions for the certificate templates that are assigned to the destination CA.

  2. Click Start, and then click Run.

  3. Type certmgr.msc, and then click OK to open the Certificates snap-in.

  4. In the console tree, right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

  5. On the Before You Begin page, click Next.

  6. On the Request Certificates page, a list of one or more certificate templates should be displayed. Select the check box next to each certificate template that you want to request, and then click Enroll.

Note

If the correct certificate templates are not displayed, click Show all templates to display all certificate templates that are assigned to the issuing CA. A status of Unavailable indicates the user account does not have permission to autoenroll for a certificate. Follow the steps in the "To configure certificate templates for autoenrollment" procedure earlier in this topic. For more information, see Troubleshooting Certificate Enrollment.

  1. Click Finish to complete the enrollment process.

  2. In the console tree, double-click Personal, and then click Certificates to display a list of installed user certificates and to verify that the certificate that you requested is displayed.

To verify migration to a standalone CA, complete the following procedure.

To verify manual enrollment by using Certreq.exe

  1. Create a certificate request, and save it to a file by completing the procedure Create a Custom Certificate Request (https://go.microsoft.com/fwlink/?LinkId=179368).

  2. Open a Command Prompt window.

  3. Type certreq -submit -config "<DestinationServerName\CAName>" "<CertificateRequestInput>" "<CertificateResponseOutput>" and press ENTER.

Note

If a message is displayed indicating that the certificate request is pending, the certificate must be issued by a certificate manager or CA administrator by using the Certification Authority snap-in. After the certificate is issued, it must be retrieved by using the command in step 4. If the certificate is issued immediately by the CA, the file specified in <CertificateResponseOutput> contains the certificate. Use the command in step 5 to install the certificate into the certificate store.

  1. Type certreq –retrieve -config "<DestinationServerName\CAName>" <RequestID> <CertificateResponseOutput> and press ENTER.

  2. Type certreq –accept -config "<DestinationServerName\CAName>" <CertificateResponseOutput> and press ENTER.

Option Description Example

-config

The –config option is followed by a string specifying a host name and CA name in the format HostName\CAName.

Certreq.exe –submit –config Server1\CA1 C:\RequestFile.txt C:\ResponseFile.cer

DestinationServerName

The host name of the destination server.

CAName

The CA name being migrated.

CertificateRequestInput

The path and name of the file containing the certificate request that was created by using the procedure "Create a Custom Certificate Request."

CertificateResponseOutput

The path and name of the file receiving the issued certificate from the CA. If the certificate request is pending, the file contains a message from the CA indicating the status of the request and the request ID. The request ID is used to retrieve the certificate after it is issued by a certificate manager or CA administrator.

Verifying CRL publishing

If you published a certificate revocation list (CRL) with an extended validity period before beginning migration, you should change the CRL publishing period back to its pre-migration value by completing the procedure Schedule the publication of the certificate revocation list.

Manually publish a CRL by completing one of the procedures described in Manually Publish a CRL.

Next steps

After completing verification steps, you should review the topic AD CS Migration: Post-Migration Tasks and complete the procedures appropriate for your environment.

See also