Migrating Microsoft CA to EJBCA

Using the same generic methods to import CA keys and certificate, and import all issued user certificates. After such a complete migration the old CA can be decommissioned. Ensure to keep audit logs in order to enable a full audit trail over the CAs complete lifetime.

Note that EJBCA and MS commands may have changed as new versions have been released.

Export the MS CA key and import it into EJBCA

We use the built-in functionality to back up a MS CA. For more information, see the Microsoft documentation on How to move a certification authority to another server.

This gives a PKCS#12 that can be imported to EJBCA.

  • Start a new "mmc" and add the "Certificate Authority" snap-in. Right-click the CA to export > All tasks > Back up CA.

  • Follow the wizard and select Private key and CA certificate, location for storing the p12-file, and a password.

  • Copy the p12-file to the EJBCA machine.

  • Run: $EJBCA_HOME/bin/ejbca.sh ca importca "MS CA v1" /path/mscakey.p12

The CA should now appear in the EJBCA Admin GUI.

Import existing certificates into EJBCA

Importing certificates one at the time

  • Certificate can be exported from the CA-snap-in by opening each certificate and clicking "copy to file..".

  • Convert the certificate to PEM format with openssl: openssl x509 -in certificate.crt -inform DER -out certificate.pem -outform PEM

  • Import to EJBCA with: $EJBCA_HOME/bin/ejbca.sh ca importcert username password "MS CA v1" status certificate.pem EndEntityProfile CertProfile

images/s/en_GB/7202/8bb4a7d7a43e6723fe7875221f32b3124c55e6e1/_/images/icons/emoticons/warning.png Note that this is only suitable if you have a few certificates.

Importing the entire certificate database

The entire certificate database is stored in \window\system32\CertLog\CA-name.edb.

The Microsoft server provided Certutil.exe can be used to dump the different posts from the database and the following lists names of possible columns to dump:

certutil -schema

To dump all certificates with their UPN, TemplateName, Disposition (Issued, Revoked), and the PEM-encoded certificate, run the following:

certutil -view -restrict "GeneralFlags>0" /out "UPN,CertificateTemplate,Disposition,RawCertificate" > certdump.txt

EJBCA provides a script for migrating the MS CA, that:

  • Locates next line that starts with "Row"

  • Parses UPN

  • Parses TempateName

  • Parses certificate status from the Disposition-field

  • writes PEM-certificate to temporary file

  • runs the import-CLI

    • Username: UPN-TempateName

    • Password: foo123

    • CA name: From the command line of the script. Should be the name of the imported MS CA.

    • status: ACTIVE if issued and REVOKED if revoked

    • filename: the temporary file

    • EndEntityProfile: TemplateName (existing)

    • CertificateProfile: TemplateName (existing)

  • Start over until there are no more "Row"s

After compiling EJBCA with ant, run the script according to the following:

cd $EJBCA_HOME/tmp/bin/classes/
java org.ejbca.ui.cli.ImportMSCACertificates /path/certdump.txt "MS CA v1"

Issue certificates for SmartCard Logon, DCs, EFS etc