Export (0) Print
Expand All

Migrating Exchange KMS to Windows Server 2003 CA

Updated: December 6, 2004

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following are the summary steps for migrating Exchange 2000 Server KMS to a Windows Server 2003 certification authority.

  1. If running Exchange 5.5 KMS, upgrade to Exchange 2000.

  2. Configure Windows Server 2003 CA for key archival.

  3. Ensure that the certificate is available for database migration.

  4. Enable the foreign certificate import option on the CA, if necessary.

  5. Export the Exchange KMS database.

  6. Import the Exchange database into the CA.

Before migrating KMS to a Windows Server 2003 CA, it is important to consider the version 1 CRL that is published by the Exchange KMS for Outlook clients in the Exchange Global Address List (GAL). If KMS is migrated to a Windows Server 2003 CA, the v1 certificates can no longer be revoked and it is recommended that a KMS migration is only performed when all V1 certificates are expired and/or are no longer being issued by KMS. If x.509 version 3 certificates are being issued by KMS with a Windows 2000 CA, the existing CA will need to be maintained to publish CRL(s) until all the original certificates issued by KMS have expired.

Creating an Export Certificate

When a KMS migration to a Windows Server 2003 CA is performed, the export file from the KMS must be encrypted with a public key certificate and then subsequently decrypted by the Windows Server 2003 CA. The CA may or may not have an encryption certificate available to be used for this process. It is absolutely critical that an encryption certificate and private key be installed in the machine store (local machine) of the CA to facilitate KMS migration. Since the process runs as SYSTEM, any encryption certificate and private key available in the machine store may be used.

To view the certificates installed in the local machine store, open the Certificates MMC console for the local machine and view the certificates under the Personal store. A Secure Sockets Layer (SSL) or machine authentication certificate will suffice for use in this scenario. The certificate corresponding to the private key that will be used should be manually exported and made available during the KMS migration process. For more information about certificate enrollment and exporting certificates, see the Windows Server 2003 help files. If importing a certificate and key to be used by the CA (*.pfx file), ensure that the certificate is marked for export when importing on the CA. Otherwise, the CA may not be able to use the key and certificate for key import purposes.

The export certificate used by the KMS should not have a key size greater than 1024 bits as this may cause errors on import to the Windows Server 2003 CA.

A Windows Server 2003 always has an Exchange certificate (encryption certificate) available for the purpose of key archival. Do not attempt to use this certificate for the purpose of migrating the KMS database as it will not be usable by the CA for this purpose.

Enabling Foreign Certificates Import

If the KMS contains x.509 version 1 certificates and private keys, and/or if the KMS was not configured to use the same CA with Windows 2000, the foreign certificate import option must be enabled on the Windows Server 2003 CA.  

Foreign Certificate Import

By default, a CA does not allow certificates (or keys) to be imported on the CA that were issued by another CA. A CA must be enabled to accept certificates and keys into the database that were issued by a foreign CA. (An Exchange 5.5 KMS issuing version 1 certificates is also considered a foreign CA.)

To import a foreign CA

  1. Run the following command in a command-prompt window on the CA.

    certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

  2. Once that has competed, restart the service.


    When foreign certificates are being imported on a CA, the –f switch must be used with certutil to inform the CA that the keys and certificates will be foreign. The command line would be as follows

    Certutil.exe –f –importKMS [name of import file] 

Exporting Users’ Keys from Exchange 2000 KMS

Before an export of data from the KMS occurs, a full backup of the KMS should be performed and validated before continuing. An export of data from a KMS is destructive and will remove the keys from the KMS database.

If the KMS or the CA is online when the export occurs, the KMS will attempt to revoke all version 3 certificates that are exported. If this occurs, it is important to re-enroll all users immediately with the Windows Server 2003 CA to allow continued S/MIME encryption operations. Otherwise, take the CA offline, so the KMS export operation will not revoke the existing certificates.

To perform the export operation on the KMS

  1. Start the Exchange System Manager.

    Art Image
  2. Point to the Advanced Security node, right-click Key Manager, click All Tasks, and then click Export Users.

    Art Image
  3. In the Key Management Service password box, type the password (the default password for KMS is “password”), and then click OK.

    Art Image The Exchange KMS Key Export Wizard will start.

  4. Click Next.

    Art Image
  5. Click Browse to select the Certificate that will be used to encrypt the export file. This is the certificate file created in the previous section.

    Art Image
  6. Browse for the certificate that will be used to encrypt the export file to the CA. This is the certificate created in the previous section. Click Open.

    Art Image
  7. On the Encryption Certificate screen, click Next.

    Art Image
  8. When this screen appears, use Windows Explorer to find and open the certificate that you chose from the screen in step 6. You will need to validate this certificate with the Exchange KMS Key Export Wizard.

  9. Copy the first eight characters from the Certificate thumbprint field in the certificate chosen to encrypt the KMS export file (Figure 33).

    Art Image
  10. Type the first eight characters of the certificate thumbprint in the Thumbprint field (Figure 34), and then click Next.

    Art Image
  11. Type the name of the export file (Figure 35). Do not type in a path, only the file name. It will be saved in the following location by default. This is based on the default installation for Exchange.

    C:\program files\exchsrvr\KMSDATA

    This file will not have an extension.

  12. Click Next.

    Art Image
  13. You may select an alphabetic list of users or select by mailbox store, server, or administrative group.

    Art Image
  14. In this case, select all of the administrative groups, and then click Next.

    Art Image
  15. To start the Export process after selecting the users or administrative group(s), click Next.

    Art Image The records will be exported. On average, approximately 100 records will be exported a minute. The actual performance will vary depending on the hardware configuration.

    Art Image
  16. When complete, click Next.

    Art Image
  17. The results will be displayed. Click Finish.


    If large numbers of users are exported, KMS may generate multiple export files and split the exported keys across the multiple files. In this case, all export files should be re-imported to the new CA.

    Art Image The export file will be located in the following folder.

    C:\program files\exchsrvr\KMSDATA

  18. Copy the KMS export file to the server that will accept the import file.

Importing Users’ Keys

The Windows Server 2003 CA allows not only key archival, but also certificate and key importation to the CA database. Certificate and key importation is important in providing migration services for Exchange KMS as well as for providing migration and escrow operations for certificates that were enrolled using a third-party CA. The Windows Server 2003 CA supports both certificate import as well as key import. Certificate import does not require that key archival be enabled on the CA, but key import does.

To import users’ keys

  1. Log in as the CA Administrator.

  2. Open a command prompt window.

  3. Change to a directory containing the KMS import file.

  4. Run the following command.

    CertUtil.exe –f –importkms <name of export file>

    The output will indicate the status of the import process and the number of user keys imported and archived to the CA. The number of imported user keys should match the output from the KMS. The following is a sample successful output.

    Processing KMS exports from: 
    KMS export file signature verifies  
    Lock box opened, symmetric key successfully decrypted 
    Users: 6  
    Ignored signature certificates: 25  
    Certificates with keys: 17  
    Foreign certificates imported: 17  
    Certificates imported: 17  
    Keys: 17 
    Keys archived: 17 
    CertUtil: -ImportKMS command completed successfully.

Community Additions

© 2016 Microsoft