Moving Certificate Services To Another Server

KB ID 0001473

Problem

If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.

BE AWARE: We are moving the CA Server Name , NOT the Server Name (FQDN), the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that’s what we are going to move.

So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of?

In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.

Can I migrate from Server 2008 (NON R2) to 2016 (or newer): Yes, but not directly, you need to upgrade to Server 2012 R2 first. If you don’t, the database wont mount and you will get this error.

Solution

On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.

Transfer CA to Another Server

The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.

Backup CA Settings Wizard

Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > {CA-NAME}

Export a copy of this key, (save it in the same folder that you backed up to earlier).

Export CA Settings Windows 2016

Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.

Remove Roles Server 2016

REMOVE all the CA role services  > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services’ > At the pop-up select ‘Remove Features’ > Next.

Remove CA Roles Windows 2016

Next > Next > Next > Close.

Transfer Certificate Services to Server 2016

Setup Certificate Services on the Target/New Server

Server Manager > Add Roles and Features > Next.

Install Role or Feature 2016

Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.

Install CA Role 2016

For now let’s just stick with the Certification Authority > Add the other role services later* > Next.

*Note: I’ve written about all these role services before, just use the search function, (above), if you are unsure what they all do.

Install Certificate Services Role 2016

Next > Close.

Setup Certificate Services

Warning > Configure Active Directory Certificate Services > Next.

Restore Certificate Services

Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.

Configure 2016 Certificate Services

> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.

Restore Certificate Services Differnet Server

Next > Next > Configure >  Close.

Migrate Certificate Services Differnet Server

Stop Certificate Services;

net stop certsvc

Stop Certificate Services

If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, locate and change the CAServerName entry to the name of the NEW server.

Change CA Server Name

Right click the registry backup > Merge > Yes > OK.

Import CA Settings to Registry

Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.

Restore Windows CA

The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.

2016 Restore Windows CA Wizard

You will be prompted to start the Certificate Services service > Yes.

Restart Restored Windows CA

What About Certificate Templates? Do I need to Move Them?

No! Certificate templates are actually stored in Active Directory, NOT in/on the actual Certificate Services server, (that’s why sometimes they take a while to appear after you create them!) You can see them here;

Certificate Templates in Active Directory

Related Articles, References, Credits, or External Links

Digital Certificates Explained

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Author: PeteLong

Share This Post On

233 Comments

  1. Thank you for submitting the new hostname CA server Fix.

    Post a Reply
  2. Nice and clear walkthrough

    I used this to perform a move for the CA service on a pair of 2012 R2 servers.

    No issues were experienced beyond ensuring *NOT* to select the “database” sub-directory when performing the final restore, use the parent directory.

    Thanks for taking the time to write and present this so well.

    Stu

    Post a Reply
    • No problem Stu, thanks for the feedback.

      Post a Reply
  3. Thanks for the nice and concise write-up. I’ll be using it to migrate a 2008R2 CA to a 2016 server. Quick question, do I need to back up and restore the cert templates too?

    -George

    Post a Reply
  4. Any downtime for this? Considering doing this during the day.

    Post a Reply
    • Only for the PKI service while you swap over 🙂 Users probably won’t even notice.

      Post a Reply
    • How did you make out? Thinking about doing this during the day myself? Was concerned it might trigger something the users can see.

      Post a Reply
  5. Worked on 2019 as well

    Post a Reply
  6. Can you install the new CA role but not restore the services prior to doing the swap? Would speed up the process not fully removing old and then installing new etc.

    Post a Reply
    • It is not possible because:
      It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the
      CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation. The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server
      restores the source CA if migration fails and performing a rollback is required. See Restoring AD CS to the source server in the event of migration failure.

      Post a Reply
      • I’ve seen a couple different takes on this…

        One states that the removal of the CA roles on the one server is absolutely necessary prior to adding and configuring them on the replacement server.

        Another states that one can simply force the one server offline (e.g. disable the NIC) so it’s not available when the replacement server comes online.

        You clearly take the first position, and it makes sense. It’s a bit nerve-wracking, even with the rollback options, but it makes sense.

        Question: If the replacement server has a different hostname, and the certificates show the original server’s hostname as part of their CRL Distribution Point, will the steps in this article account for those, or will I need to take additional steps such as creating a CAPolicy.inf file?

        Alternatively, I’ve considered just making a separate DNS entry for the old hostname pointing at the new IP.

        Post a Reply
  7. Excellent ! I would have never figured that out, especially the registry modification.
    Move a 2012R2 over to 2019 Server not issues.

    Post a Reply
  8. Some articles say to change the name of the new CA Server to match the old CA server after you decommission the old CA server… so this is NOT necessary right? The only thing is the new server name will not match the CA name right? Oh and you would not need to modify CAServername registry entry….

    Post a Reply
    • I don’t (usually) and I’ve never had a problem?

      P

      Post a Reply
    • You can’t. The add roles/features wizard specifically states that once you add the CA role, you can’t change the hostname and or domain afterwards.

      Post a Reply
  9. Thanks for the article, good work!

    What about the AIA and CDP distribution points, and the CRL urls? Do you need to do anything to those to change them etc?

    Post a Reply
    • That is a great point! If you are retaining the server name, things like AIA will probably be the same, but CRL and OSCP may well need to man manually recreated (with the same paths, or changed to the new server name).

      Post a Reply
  10. Thanks the article is very straight forward. My question as I prepare to move my CA to a new server is how do the clients find the CA?

    If the CA was one name or on one server how do they find it when I move to a new server with a different name?

    Thanks,
    Dave

    Post a Reply
    • They will find it in Active Directory 🙂

      Post a Reply
      • So it will replicate the changes with AD?

        I only ask because its a huge move considering if things don’t work my users wont be able to login.

        And thanks so much for taking the time to answer me.

        Post a Reply
        • Even if you are doing 801.x authentication the root CA cert will be the same, all previously issued certs will remain trusted. 🙂

          Post a Reply
  11. Awesome, thank you so much

    Post a Reply
  12. Is it safe to assume same steps would work migrating from 2008 R2 to 2016 Server?
    I already have prepped 2016 server that is domain joined.
    Would you also recommend making it a domain controller since my 2008 CA is also a domain controller
    with schema master role assigned? I was planning on moving that role ahead of time, but should I still make it a domain controller ?
    Thank You

    Post a Reply
    • Yes in fact I’ve done it in anger 🙂

      Post a Reply
      • PeteLong when you say Yes to Luke, which question are you saying Yes to? I was thinking of taking this opportunity to move my CA off of my 2012 DC and moving it to a member server. Everything I see says to keep it off of a CA so that is why I’m looking at it.

        I was thinking I could bring up a new DC2019 and then demote the DC2012 (that has the CA on it). Now it’s just a member server. I could then install a new MemberServer 2019 and move the CA from the 2012 server to it.

        What are your thoughts on this process?

        Post a Reply
        • I mean the upgrade/migration process will work.
          I don’t recommend making it a domain controller, (unless you have no choice).
          Treat migrating domain controllers and migrating CA’s as a separate thing!

          Post a Reply
  13. I have something similar to this but I wanted to see if someone can comment on this: i have a CA server on an old 2008 R2 enterprise domain controller which I want to retire I also have two additional one is 2012 R2 and the other one is a 2016. all roles are managed by the 2012 DC
    is it advisable to just install CA services on both 2012 and 2106 DCs and retire the 2008 DC or do i need to migrate the DB from the 2008 into one of the other two domain controllers?

    Any feedback would be greatly appreciated. thanks, Wil

    Post a Reply
    • Migrate the Root CA, then simply remove the CA roles from the SubCA servers and create some new ones, take a backup of them before you kill them in case you need to retain the intermediate CA certificates for any reason (i.e. 802.1x, or NDES, or appliances you manually put certificates on).

      P

      Post a Reply
  14. What an excellent article. I’ll be using this as a guide to migrate a 2012 R2 CA to 2016 this week.

    One quick (I hope) question: We’ll be changing the hostname and IP address of our CA. Is it strictly necessary to remove the CA roles from the original CA prior to installing those roles on the new CA? Or, can the original CA be shut down pending successful migration?

    Post a Reply
    • Well no it’s not strictly necessary, but the CA can only exist in one place, the sever-name and the CA name are NOT the same, as soon as the CA is imported and online on the new server it CANNOT be online on the old one 🙂

      P

      Post a Reply
      • Perfect. Thanks again! Sounds like the best way to ensure some fallback plan (or management peace-of-mind, anyway) is to disable the NIC on the server hosting the old CA so, even powered on, it can’t talk to others. Out-of-Band-Management is obviously key to being able to do this.

        Then, once we’ve got green light on the new CA on the new server, we can remove the roles from the old server.

        Post a Reply
        • Even easier to disconnect Ethernet cable from old server. 🙂

          Post a Reply
  15. Thank you for a great article. Worked perfect. Just a quick comment, I had CNAME’s for CRL and AIA in my local DNS pointing to the old server hostname. I updated those to the new server hostname.

    Post a Reply
  16. When installing CA on the new server, when I go to configure it, the option for Enterprise CA is grayed out. Do you know why that is?

    Post a Reply
    • Is it already a domain member server?

      Post a Reply
  17. We have root offline CA (Non Domain Joined) and Intermediate CA (Domain Joined) both are on 2008 R2
    can we follow same process to migrate both server?, first migrate Root offline CA to 2019 and then migrate intermediate CA to 2019
    is there anything else required.

    Post a Reply
    • I’ve not done this, but I don’t see why not, as we are moving the CA, not the server. You can Test it in a virtual sandbox, but I can think of any problems.

      Post a Reply
      • Hi, We also have offline root CA non domain joined and two sub servers. What is the order to do things? Root CA first and then do we do one sub at a time or take both offline at the same time?

        Post a Reply
        • Hi Tim, Always start with the root and work down.

          Post a Reply
  18. work this on domain controllers servers ?
    i have DC where is running CA and need migrate to new server with new FQN name.. but CA name will be same as old..
    thanks for help 😉

    Post a Reply
    • The fact its a DC does not matter its the “CA name” you are moving 🙂

      Post a Reply
  19. Correct me if I am wrong – it may be a good idea to make a note of and then remove all certificate templates on the old server prior to taking a backup of the existing CA to ensure that no certificates are issued between the time you take the backup on the original server and restore on the new server. The templates could then be re-added after the restore is done.

    Post a Reply
    • Templates don’t live on the CA server, they are stored in AD, that’s why if you have a lot of domain controllers, you need to wait a few minutes before you can issue a ‘new’ template. You are waiting for domain replication to occur.

      Post a Reply
      • Perhaps I was not as clear as I could have been. I was suggesting that you could unpublish the templates to prevent certificates being issued between the moment you take the CA backup and disable/remove Certificate Services on the old server. The chance of this happening is small, but couldn’t it result in an ‘orphan’ certificate being issued?

        Post a Reply
        • The worst that would happen is you would not be able to revoke it.

          Post a Reply
  20. Everything seems to have worked except the registry import, is it a requirement or can we run without it?

    Post a Reply
    • No you definitely need that to work!

      Post a Reply
  21. Great information!

    My team and I are ready to execute this Migration from a 2008 Server to a 2012R2. Our main concerns are:
    1. If the server has a different name, even if we change the name in the registry export to the new name, how does that affect any currently issued certificates with the old name embedded into it?
    2. How do you get all computer objects on the domain to update the certificate once the new cert is up and running?

    I’m a bit novice to Managing a Certificate Store, but the project is mine to undertake and i certainly want to learn, so please Jedi Masters, give this Padawan Guidance! Thanks!

    Post a Reply
    • 1. Man Im sure I’ve mentioned this six thousand and seven times, stop worrying about server names, server names are not important at all, you are moving the CA name. So changing the server names affects nothing.

      2. Assuming your computers are auto-enrolling, (if not then they wont have any certificates?) then they will renew from the CA NAME which they will find in active directory, and which hasn’t changed from the last time they got a certificate, it’s just on a different server 🙂

      Imagine ‘Boots the chemist’ moves from the middle of town, to the out of town shopping centre, your question would read how do we buy paracetamol now Boots has changed its address.

      P

      Post a Reply
      • PeteLong, If the server name is irrelevant, then why is the cert server name embedded in the local workstation and server certificates? See the ProdCert1v server name in the certificate below:

        (ldap:///CN=xxxxxxxxx%20xxxxxxxxxxxx%20Certificate%20Authority,CN=PRODCERT1v,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxxxxxxxxxx,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint)

        Post a Reply
        • It’s the CRL URL in your reference, the person that originally installed that chose that URL/hostname. If you wish to support existing CRL lookups using this FQDN it either needs to be replicated or redirected from the original server.

          However, within an AD environment LDAP is used first. This is why if your CA services non-domain members, it’s probably best to remove the LDAP location and just use HTTP to speed up resolution.

          Hope this makes sense!

          Post a Reply
  22. To PeteLong…. Thank you!
    Christmas Gift for me to have an easy path!

    Post a Reply
  23. Very Clean walkthrough. Thanks

    Post a Reply
  24. Hi,

    I am in process of upgrading existing CA environment – 2008 -> 2019. Offline Root CA and 3 domain member SUB CA’s. After upgrade I will only need one SUB CA.
    My idea is to migrate the Root CA using backup/restore as described here to a new server with new name (I think straight forward). On the current 3 SUB CA’s I want to disable auto-enrolling – and keep them alive until latest issued certificate have expired. Install a new sub CA with with auto-enrolling enabled?
    Any pitfalls doing it this way?
    Torben

    Post a Reply
    • Not that I can see, as long as they are left up for the same amount of time that the certificates are valid 🙂

      Post a Reply
  25. This worked well for me thank you. On the original CA I had created a “User VPN” template for auto-enrollment. I am not sure if it was necessary, but I did reissue this certificate template on the restored CA. The User VPN template was not listed until I had selected “New -> Certificate Template to Issue”

    Post a Reply
  26. Thanks for the slick write up. I really appreciate this and the other articles you have contributed to the community Pete!

    Sam

    Post a Reply
  27. Pete,
    Great work, great write up.

    Quick question.

    I’m planning on upgrading a rootCA and a SubCA (2008r2 to 2019).
    I follow the steps that you laid out for the root, I understand that.

    What about the sub?
    Do I do the same (ie backup the sub and the sub’s reg then restore to 2019)?
    Or did I see in the comments to just install a brand new sub (even though many certs issue from sub)?

    Thanx!

    Post a Reply
    • Same procedure for the SubCA if you want to migrate it, you can also create a new one just as easy 🙂

      Post a Reply
  28. Great write up Pete!

    Just a quick question, We have our CA on a 2008 DC which we want to decommission and shut down for good. Once we move the Certificate Services over to a new domain member server are we able to then demote the DC and then kill the server for good?

    Just wanted to check demoting and killing the server wouldn’t cause issues with the CA on the new server?

    Post a Reply
    • Yes – providing theres nothing else on it (DHCP, DNS, Terminal Services Licence server etc,)

      Post a Reply
  29. Put me in the same boat as those scrambling to remove 2008R2 servers from their environment. Followed these steps last night. All quiet in the office today. Would add that i was seeing errors in ‘pkiview’ referencing the old CA server, and i needed to publish my revoked certificates and then refresh the pkiview screen and that cleared those.

    im still getting ‘unable to download’ on the delta crl #3 and cdp location #2 where the location is file://NEW_CA_SERVER….. but if i copy the url and browse in explorer its working, so not sure what to do there

    in any case, kudos to PeteLong for actually reading and responding to so many people, after this post has been up all this time. top bloke!

    Post a Reply
  30. I have a Server 2008R2 and CA is running on a DC. I am planning to move CA role for DC to on its own new 2019 Server. Hostname will be different. Do I need to change any registry value if it has a different hostname? or do I need to perform any further steps apart from what is in the article.

    Thanks and very helpful write up.

    Post a Reply
    • Yes you DO need the change the server name in the registry key backup, to the new server name 🙂

      P

      Post a Reply
      • I am having the same idea like Bhav. I have a 2008DC with CA Role installed. I want to take the CA Role out and put it on 2019 Server with different hostname. Could you tell me how to change the server name in the registry backup?

        Post a Reply
        • That information is in the post.

          Post a Reply
  31. Hello pete

    First of all thx for the guide, will help a lot to guys like me that do not usually play with CA’s, are on a small business and have an inherited problem from his predecessor.

    what you would recomend in a case that there is a CA server on a w2008r2 DC with a cert using a deprecated SHA1 hash algorithm?

    first migrate it using your guide to a w2019 and then upgrade the SHA1 cert to a SHA256 or
    First upgrade the SHA1 to SHA256 and then migrate to the new server?

    Just check it with certutil -store my the provider is Microsoft Software Key Storage, so at least i dont have to upgrade from CSP to KSP, which is a little relief.

    Post a Reply
    • Great Question!
      You can do it either way, I personally would sort the SHA1 problem out first, but theres no reason at all not to do it the way round you suggest.

      And thanks for the feedback!

      Post a Reply
  32. Thanks for the great article. My brain is teflon when it comes to retaining CA knowledge. Definitely one of my weaker skillsets.

    I’m not sure this was made clear in the comments posted, so I’ll spell it out just in case.

    Firstly, one of my pet peeves is when people don’t quote R2 when talking about that version of Server 2008. Where I work we have a Windows Server 2008 migration project when the vast majority (if not all) are 2008r2 – drives me crazy.

    Anyway, since I don’t want to assume all comment posters are good techies and referencing their OSes properly in their questions, I want to clarify:

    If you have Windows Server 2008 CAs (not R2) and you want to migrate to 2016 or 2019, you MUST first do a migration to 2012r2

    If you have 2008r2 CAs, you can go straight to 2016 or 2019.

    Post a Reply
    • I’ve updated this post (above) and linked to what will happen if you attempt to upgrade 2008 (non R2) to 2016/2019.

      Pete

      Post a Reply
  33. Hello.

    Can we use this procedure for a subordinate CA?
    Should we start updating root ca first or it does not matter?

    Post a Reply
    • Hi Victor, I would always do the root first, but that’s just my OCD. I cant really think of a good reason not to do it that way, as its a hierarchical system.

      Post a Reply
  34. Pete,

    This was an absolutely great article and made going from a Server 2012R2 DC CA to a 2019 one easy-peasy-lemon-squeezy.

    Thank you for such a well-written article.

    Post a Reply
    • Thanks for the feedback Doug 🙂

      P

      Post a Reply
  35. Awesome post – thanks for that…Just one stupid question (since I followed your post exactly), for peace of mind, what is the best process for verifying the migration was successful?

    It’s noon on a Sunday, all my CA skillset is horrible…Thanks …/Mike

    Post a Reply
    • Request/Issue a certificate is the simplest way to test the system. 🙂

      Post a Reply
  36. I’m about to do this migration but i do have a question. Do i need to export the Certificate Templates from the 2008r2 server and import them into the new 2016 server? I cant find anywhere online if that is needed to be done

    Post a Reply
    • I think I mentioned this above, templates are stored in Active Directory NOT on the CA

      P

      Post a Reply
  37. Thanks you for this article. I am retiring a site hosting a virtual subordinate CA server. I am wondering if cloning the CA server, restoring it to the new VM infrastructure and re-IPing will cause an issue? Or, build a new CA in the new site and following your above process. Thx so much.

    Post a Reply
    • As long as you don’t change the server name, and remember to add the new subnet to ‘AD sites and services’ you should be ok 🙂

      Post a Reply
  38. Hi Pete, this is a great article. Thank u for replying to all guys. I have a question ref migration from CA 2008 r2 to 2016. After we remove the CA role from the 2008 r2 dc and install on 2016. We want to keep the old server as it is a DC for maybe a few weeks after the migration. Is it necessary to power off the server after CA migration or can we simply keep it running without the CA role and act as a backup DC? Appreciated

    Post a Reply
    • No the old server can remain, that’s fine as long as i’ts got a different name of course 🙂

      Post a Reply
  39. Hi

    Thx very much for your wonderful article.
    When moving from 2008r2 to 2012r2/2016/2019 AND with different hostname is it required to reissue the template certificate ?
    I see as per official microsoft doc that is a require step BUT You don’t mention it on your article

    Post a Reply
    • NO templates are stored in AD! (I’ve updated the article to show you where).
      P

      Post a Reply
  40. Like many I have a PDC that is AD CS. I would like it to remain the AD CS and remove AD DS. Is there any reason you can think of that I wouldn’t be able to transfer the FSMO, demote and remove ADDS and leave the CA installed?

    Post a Reply
    • None at all, what you propose wont be a problem 🙂

      Post a Reply
    • I don’t think you can Demote a DC while its a certificate server

      Post a Reply
      • You are correct attempting to demote a DC running CS will result in it stoping, and asking you to remove Certificate Services first.

        P

        Post a Reply
        • Hi, is it supposed that is possibile to demote the OLD DC holding the CS AFTER the migration on the new server (with different hostnames) . In other words: is it safe to remove the cs service from the old server once the new server with the new cs is up and running in production ? Thx

          Post a Reply
          • You cant demote a DC if its a CS Server it will not let you. Migrate CS, when that’s done demote the server.

  41. Hey Pete,

    First off, a big thanks the excellent guide.

    I was just wondering if you also know if I could change the displayed name in the CA management console, just so no confusion arises amongst my coworkers for example.

    Changing the ‘Active’ and ‘Common Name’ REG_SZ keys in the Configuration registry settings as well as the name of the registry folder caused ‘file not found’ errors when trying to restart certsrv.

    Would be awesome if you know a trick for this!

    Post a Reply
    • This is why I name my CA’s differently to the Hostname(s) they are residing on 🙂 ASFAIK (and I’m happy for someone to pitch in and say I’m wrong,) you can’t change a ‘CA Name’ You would need to remove it an create a new CA, which has many other inherent pitfalls in a working domain.

      Post a Reply
  42. Thanks for the excellent article and video Pete. I will use it for our next migration

    Post a Reply
    • Thanks for a great write up. It’s very clear and concise. I also appreciate the time you have taken to answer and answer again all the posted questions. You have more patience than I have.

      Post a Reply
  43. Thank you for the article, great help, i did notice on the server that you were migrating to that Active Directory Services was also selected in the screenshot, is this required? I am migrating the CA from an existing Domain Controller which I am also demoting, i believe that this needs to be done prior to that. With the new server, i just want to confirm if AD services are also required?

    Post a Reply
    • No it’s not, that was done on the test bench and it saved me building two servers.

      Post a Reply
  44. Hi Pete
    As suggested just trying to the backup of certificate server on windows 2008R2 ent. But wizard completes with an error that some of the CA server certs private key is unexportable. I even checked the certs in certificate MMC for computer account and cant even export them from there.

    Error is like windows cannot backup one or more private key because CSP doesnt support key export.

    would you know something about this.

    thx
    shishir

    Post a Reply
  45. Thank you Pete for your detailed articles and they have been a life savor!

    I have recently moved a Windows 2008 R2 CA to a new Server 2019 OS with a new host name. The move went well with one major issue. I am unable to create a SHA-2 CA cert and on SHA-1. This is causing all of our internal sites and other issued certs to issue Weak Cipher warnings and other issues.

    I noticed in the registry the item “CAServerName” has the imported old 2008 R2 OS host name since that was exported and imported into the new 2019 CA. Is it safe to stop the certsvc, update the Reg key “CAServerName” and start the service if this is already issuing certs?

    The CSP Reg key already has a CNGHashAlgorithm of SHA256 and Provider of “Microsoft Strong Cryptographic Provider” data set.

    Post a Reply
    • I’ve covered upgrading CA’s to SHA2/256 elsewhere on the site?

      Post a Reply
      • Hi Pete,

        Is it possible to migrate a subordinate CA before RootCA? I am planning a migration for CA roles from 2003R2 to 2012R2 and wondering if I Can migrate the Subordinate CA server before the RootCA server?

        Post a Reply
        • Technically yes, as long at its SubCA certificate stays in date through the procedure, but I’ve never done it that way.

          Post a Reply
  46. Excellent post and I really admire the way you addressed everyone’s questions:
    I have a question…
    For future management and ease of upgrades, we wanted to separate CA from a 2016 serverA DC, which is also has other roles like (DHCP and DNS), to a newly built 2016 ServerB,
    1. Is it possible to keep both ServerA and ServerB After migration following your post?
    2. If it is a must to rename the source server ServerA, what would be your suggestion/recommendations? s there a clean way to do it?

    Post a Reply
    • 1: Yes
      2: Assuming it’s not doing something important (like Exchange or SQL for example,) then simply rename the server, (and then reboot it, to reregister its DNS entries). Then check your DNS servers do not have any old ‘static entries pointing to the ‘old’ name.

      Post a Reply
  47. Man I am dying here…
    Cannot renew NPS Cert. Because the CA Certificate templates was showing the server I was going to move it to I thought that was probably the problem. So I went ahead and moved it to that machine even though it isn’t where I would like it to reside. It is now on server2 and the templates reflect server2 but I still get the same error when NPS trys to renew. “The requested template is not supported by this CA”. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
    Man I could use some help. There is so little info on the internet.

    Post a Reply
  48. Figured it out. For some reason the Backup and restore process did not restore all of the Certificates to Issue area of the CA, and since I originally set it up 7 years ago an essential piece of basic CA setup was forgotten. Although the template for NPS radius was in manage certificates, it was not in the main window when clicking on the manage certificates folder for certificates to issue. Now in my defense, this was available in the certificates to issue area of the original CA. Why it didn’t transfer with the backup/restore process i do not know.

    Post a Reply
  49. When moving CA back to 2012 Server that is now NOT a Domain Controller, The ability for the CA to issue an NPS RADIUS Certificate goes away. When you manage certificates you can see the template, but you cannot add it to the Templates this CA can serve. It would appear for a CA to issue NPS Radius Authentication Certificates, the CA must reside on a DC.

    Post a Reply
  50. Hi Pete

    Hope you’re well.

    Can i use this guide to migrate from a 2012 R2 to 2019 standard? The 2012 R2 is also a DC plus DHCP and obviously DNS so i’ll need to migrate all roles to the new 2019 Server

    Thanks

    Post a Reply
    • Yes treat each migration separately, and don’t move the DC role until after certificate services has moved, I’ve covered DHCP migrations, (use the search above) and DNS will move with the DC role.

      Post a Reply
  51. Hi Pete, great article and youtube video, thank you! I think you might laugh and cringe at the same time when you read this question. My boss threw me into the middle of their CA migration project and wanted me to finish it up, problem is they just stood up a brand new Root CA server while leaving the old Root CA still up and running (we dont have any subordinate CAs). They began creating new certificates for just the web servers we host on the new CA. After reading your article and many others I told them to pump the breaks!

    My question is, on a scale from 1 – 10 how screwed are we? What would happen if we continued with the new CA and just turned off the old one? Would all the servers and client PCs auto enroll with the new CA? I just want to understand the implications of the direction we took. Thank you in advance.

    Post a Reply
    • 🙂 Theres no reason I can think of that you are ‘screwed’, essentially as long as your clients trust BOTH old and new root CA servers and the CRLS stay online then nothing will break?

      Post a Reply
      • GREAT news to hear! As of right now all clients trust both CAs. So if we turn off the old CA and all the servers check in with GP, will they all auto-enroll with a new certificate from the new CA? No moving of the old database and reg key required?

        Post a Reply
        • Yes, just make sure if theres a CRL stamped on certificates issued by the OLD CA Server, you will need to maintain that until all the certs issued from that CA server have expired, or are no longer needed.

          Post a Reply
  52. Thanks for sharing the steps to move CA, I need to move the CA root server from 2003 to 2019 OS and we have a CA subordinate which is on Active directory server, can follow the same steps for 2003?

    Could you help me to upgrade the hash algorithm as well from SHA1 to SHA2.

    Post a Reply
    • Wow 2003? Back then I wasn’t that deep into this stuff, I’d need to build it all in VMware and test it, Sorry I just dont have the time to work that out for you.

      Post a Reply
  53. Hi there,

    Many thanks for sharing your knowledge.

    I am in a process of migrating our cert role from Server 2008 32bit, upgrade to 2008R2, then migrate the role to server 2016, but it seems that the architecture is not compatible.

    Do you happen to know a way i could follow for this migration, please?

    Regards
    Tedy

    Post a Reply
    • Ah OK – If you are 2008 x32 you need to migrate to 2008 x64, then migrate to 2008R2 (Google “Active Directory Certificate Services Migration Guide”)

      Post a Reply
  54. Thank you for the guide, like many others Im on the same boat working on upgrading RootCA with two SubCA and another RootCA their all in 2008 R2 and your guide is a great help in this endeavor. I have been reading a lot of guides and really I would like to side with caution and try upgrading them in stages from 2008 R2 to 2012 R2 then 2019 and instead of migrating/moving them to a new server or upgrading them one time to 2019. I dont think its an issue whichever route we take in place upgrade vs backup and restore to a new server but wanted to get your thoughts on it.

    Also our DC is currently running on 2012 R2 would it be an issue if CAs are ahead?

    Post a Reply
    • Hi Jonathan,
      Indeed, you are only as good as you last backup! Your DC wont be a problem, and wont trip you up.
      If you super cautious P2V (or V2V) the boxes and, sandbox the upgrade to test it first.

      As you are at 2008R2 then theres no ‘gotchas’ as you are running on a newer DB, and wont be x32 bit.
      Good Luck
      P

      Post a Reply
  55. Successfully migrated ADCS, CA and CAWE from 2012 (DC) to 2019.

    Thank you very much

    Post a Reply
  56. First of all, thank you for the article, very useful.

    I have a different requirement, however: the environment I manage has a root CA (not-domain joined server) and a dependent subordinate CA, not autoenrolling. I need to get rid of both, as we have a new enterprise-wide offline root CA and in this particular environment I want to replace the existing subordinate CA with another having different root CA, different name (and different server name). The number of certificates issued by the old sub CA is quite low, indeed all of them need to be gradually ceased as well as the hosts requesting them (we are in a migration phase).

    Can the new sub CA, depending on a different root CA (a new PKI, indeed), coexist with the dying PKI until all the old stuff is made obsolete? Or would the AD get messed by that?

    Thank you very much.

    Post a Reply
    • Yes of course, you can run the new alongside the old until such time as all certificates have expired to been revoked.

      Post a Reply
  57. Thank you very much for this Pete,

    I re-read the article and comments here and had most of my questions answered. I do have a question however regarding moving the CA off of a domain controller that we plan on keeping around. Is it possible to keep the domain controller with the same name moving forward after migrating the CA services off of it over to its own member server?

    Thanks again.

    Post a Reply
  58. Hi Pete,

    We’re planning to migrate our CA from 2008 R2 Ent server to 2019 DC. Just a couple of points, as I haven’t done so in a relatively large/complex environment.
    We also have NDESinstalled. Also SCEP service for Macs. Are there any consideration to be taken around this?
    Also, what would be the rollback scenario of this (backup/restore to new server) scenario if things do not go at planned?
    Thanks for your advise in advance.

    Post a Reply
    • Awesome question – NDES can be a pain, especially if you are using it for anything Cisco related? If you are only using it for macOS then just check that it will support the cyphers in the new environment, macOS can be a bit picky (or more secure depending on your view). Id p2V the DC/CA Servers and sandbox them and give it a thorough testing before going live.
      Good Luck

      Post a Reply
  59. Hi, Peter.
    Thank you for the great article!

    The CA I’m planning to move to other server is using HSM. So the Private Key is being kept on HSM and I will be able to export the key to the new server from HSM.

    Do I still need to check the ‘Private key and CA certificate’ check-box when creating the old CA backup?
    Thank you.

    Post a Reply
    • I’ve not done the with an HSM – but I dont see why not?

      Post a Reply
  60. Hi Pete, great guide thank you! I have just followed to the letter and I cannot seem to create new templates, nor can I see the ones visible. This is in a lab environment which I tested moving from DC to its own dedicated server. Equally, the web enrolment references the old server which I cannot seem to change…I am not sure this migrates in the typical sense.

    Post a Reply
    • Templates actually live in AD not on the CA server! If you migrated and can’t see them, the templates have not moved!

      Post a Reply
      • Thanks for such a prompt response. I can see the certificates on the DC via ADSI edit. When trying to Manage the templates I get an error “Windows could not create the object identifier list. The specific domain either does not exist or could not be contacted. Certificate templates are not available.”

        Any other nuggets of help would be highly appreciated.

        Post a Reply
        • And the new server is a domain member, and in the correct AD groups, and has the correct DNS settings, and you are logged in as an admin?

          Post a Reply
  61. Hi Pete, echo everyone else’s thanks for a clear, concise article/video and for taking time to answer follow-up questions.

    I recently moved a domain off an old SBS 2011 server to 2012R2 Standard. I followed your steps to migrate the CA and it all went swimmingly… or so it seemed, until I realized that all of the existing certificates now have invalid CDP paths. This was of course after removing the CA role from SBS (in addition to every other role), removing it from the domain and powering it off for good.

    I wish I had seen and followed your recommendations on setting up an http path way back when, but was (and still am) quite ignorant and just used the SBS default configuration, which only included an ldap URL for the CDP.

    I’m wondering if I have any options other than reissuing all of the existing certificates. I tried setting a CNAME in DNS to point the name of the old server to the new one, but this didn’t appear to make any difference–perhaps that’s only works for http CDP paths?

    Is there any way to redirect the ldap path to the new server? Or am I stuck with having to reissue the existing certificates?

    Here’s what the CRL Distribution Points field looks like now on all the existing certificates:

    [1]CRL Distribution Point
    Distribution Point Name:
    Full Name:
    URL=ldap:///CN=mydomain-SBSServer-CA,CN=SBSServer,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=mydomain-SBSServer-CA,CN=SBSServer,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint)

    Seems the problem is the CN=SBSServer part.

    Many thanks.

    Post a Reply
    • http CDPs you can just setup a new one with the old URL. LDAP ones will only be a problem if the web CDP does not work, I’m pretty sure it does not need to check all of them?

      Post a Reply
  62. This is hte second time I have used this post to move my CA. 6 Months ago to a temp server, now to a new server. This time however the server is 2019 and it broke my NPS. I added a new host after moving the CA and it got a certificate. The NPS worked for 36 hours but fails now because the CRL is not found. Even the new host, with the certificate issued by the new server is failing. Not much info out there on how to fix this. ANYBODY???

    Post a Reply
  63. Hi Pete, great post!
    I’ve adopted a network that has a CA on a 2012 dc. While doing the backup, I got the message that one or more private keys could not be backed up because the keys cannot be exported. It turns out they are the CA’s main 2 certificates also mentioned in CACertHash in the registry. I can’t seem to export them with their private keys. I am not aware of any passwords for them, as the previous admin was not big on documenting. Can I still restore the CA with the information that was able to be exported, or would it come down to creating a new CA?
    Thanks man!

    Post a Reply
    • It it were mine I’d build a new PKI infrastructure, take a note of the last issued cert expiry date of the old one. Then kill the old one and remove it from AD at a sensible date.
      (Stop and disable the services on the old one to stop it issuing new certs!)

      Post a Reply
  64. 3 Windows CA servers – needs to consolidate into one
    —————————————————-
    Currently, we have 3 CA servers (two Windows 2012 servers one of which is also DC and one Windows 2016). We would like to export all active certificates from two Windows 2012 servers and then remove CA services from those two servers. We just want to have one CA server – Windows 2016. Right now, all three servers are issuing certificates. When we have new computer setup, any one of these CA servers issue the license.

    On first Windows 2012 CA server (also DC), it has about 1300 certificates with 900 already expired (so about 400 active).
    On the second Windows 2012 CA server, it has about 800 certificates and half of them are already expired.
    On 3rd Windows 2016 CA server that we would like to keep, it has about 900 certificates with 450 already expired. What is the best way to handle this situation? Any recommendation would be greatly appreciated.

    Post a Reply
    • I’ve never ‘consolidated’ CA’s I’d migrate one and let the others expire.

      Post a Reply
  65. Hi There Pete,

    Firstly, thanks for the article and all the helpful reponses in the comments.

    Just one question about a computer name change – what about the dNSHostName value stored in AD?
    AD sites and services > Public key services > Enrollment Services > CA name > Properties > Attribute editor tab.

    This is the dns name clients will go to, to enrol their certs right? So i imagine this would need updating?

    Or does this get updated when the service is reinstalled and the registry restored?

    Cheers

    Post a Reply
    • ASFAIK thats the CA name, though it might look the same as the servers DNS name it’s not?

      Post a Reply
  66. I used this once before when we had a DC fail on us. This weekend I will be doing the same again moving DC’s to another site using your guide.

    Just to say thank you for putting this straight forward guide together it saves a lot of headaches.

    Post a Reply
    • Thanks for the feedback Christopher

      Post a Reply
  67. Another great guide for real world use. It made the migration process quick and painless. I am a consultant and use your articles quite a bit for project work. Thanks for all of the time and dedication that you devote to sharing knowledge with others. Its very much appreciated.

    Post a Reply
  68. Worked fine for migrating from 2003 to 2012R2
    in that case, the cert format has p10 ext.

    Thank you very much!

    Post a Reply
  69. Very clear tutorial!

    I’m doing like Itzik, migrating from 2003 to a temp 2012r2 then finally reach a 2019. But this SBS2003 have not been maintained for years, It’s not possible to export the certs because the the ca service is not running since in the SBS since the certificates are expired, the backup is a must? Or its possible to install the CA in the 2012r2 and configure it from the scratch?

    Post a Reply
  70. This was a fantastic article…and the YouTube video that accompanied it was really helpful as well. In my adventure to cutover my CA from 2008R2 to 2019, I found a couple of things and would be curious as to if my observations are accurate.

    1. The old CA had an expired certificate still associated with the Certificate Authority (#0) with the current certificate in spot #1. The backup didn’t include the private key with it (it was expired, why would it?). When I imported the registry, the certificate services wouldn’t start. I had to go into the registry and replace CACertHash value and replace the expired certificate #0 thumbprint with a dash ‘-‘ on the first line, with the certificate #1 hash remaining on the second line. Then the certificate services would start up.

    2. I was unable to get OCSP going because all my templates in Active Directory (other than what was built-in), were unable to be published. I had to go into ADSIEdit and change the Services>Public Key Services>Enrollment Services>-ca name- flags value to 10 (it was set by default on the new server to 2), replicate AD, and then restart certificate services for the templates to be issued by the new CA. I guess it’s a known bug since 2008 that occasionally pops up.

    Post a Reply
    • Thanks for the feedback! Glad we could help you out.

      Post a Reply
  71. Hi Pete,
    No doubt best article on migrating a CA out there. I have 2012 DC CA server. I’m seeing errors on the server and want to move the CA to a member server and remove the old DC server. I have NPS install on another DC server. Do you see any issues with moving the CA to a member server and breaking NPS?

    Post a Reply
    • If the NPS is just doing RADIUS/EAP/EAP-TLS then no.

      P

      Post a Reply
  72. After completing this I could not issue any of my custom certificates.
    Turns out I had to change the flag below using ASDIEDIT from 2 to 10.

    ADSI\Configuration\Services\Public Key Services\Enrollment Services\right sub CA name->Properties->flags.

    Post a Reply
    • That not tripped me up before? But thanks for the heads up Linda.

      Post a Reply
  73. One more note that may help someone in the future:
    Scenario  – Migrate CA server from 2012 R2 to 2019 Server; moved NPS from 2012 Server to 2019 Server. Everything seemed to be working, but when clients when to connect, NPS was rejecting them with error “”Error The revocation function was unable to check revocation”. Everything looked operational. Solution: On the CA, open PowerShell and run Certutil -crl then went into C:WindowsSystem32CertSrvCertEnroll and copy the new CRL certificates from this folder to a location on the NPS server. On NPS server, open MMC, add Certificates, Local Computer snap-in, and import these certificates into Trusted Root Certificate Authorities. Restarted NPS; clients could now connect fine.

    Post a Reply
  74. Hi Pete

    Great write-up, but I have experienced issues. I just tried this in production. Everything seems to work okay until I import my registry key from my old (2008 R2) CA. As soon as I do, Certificate Services stops and when I try to restart it, I get an error:

    The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)

    The policy module for a CA is missing or incorrectly registered. To view or change policy module settings, right-click on the CA, click Properties, and then click the Policy Module tab.

    Any ideas what in my Registry Key could be causing this issue??

    Post a Reply
  75. HI Pete,

    Thanks for this. Once you move over how do the machines in the forest about the new certificate server? Do we have to use a GPO to point them to the new server? I must addmit when it comes to PKI stuff I am completely at sea and I would like to understand a little bit more as to how the new server is known by the rest of the members of the AD domain. Thanks.

    Post a Reply
    • If your in a domain environment they will pick it up automatically.

      Post a Reply
  76. Thank you for the comprehensive write up, greatly appreciated.
    I’ve followed the documentation, but it seems the custom templates I created aren’t showing up after the migration. I read in some of the previous comments that some time is needed for the templates, but it’s been a couple of days. Any advice as to how I can fix this?
    This all in a lab environment, but would be great to know just in case this were to happen in production.

    Post a Reply
    • The templates exist in AD rather than on the CA server? Can you manually add them?

      Post a Reply
  77. Great article, thanks for the walkthrough.

    Now, I read it through in a rush and missed the part about exporting the registry file before removing the old CA role.

    I’ve been into the reg on the new server and changed the CAServerName by hand while the service was off, is this going to break anything?

    Post a Reply
    • I’ve never had to do that myself – but I ‘think’ you will be OK.

      Post a Reply
  78. Hey Pete, hope you’re well..
    I had an issue with my CA server, where even a DC at the same network range cannot renew its certificates and returns a stupid RPC error. no Network or Firewall issue.
    I’ve migrated the CA to a new server, so maybe things start to work again, but the results are the same..
    It’s an inherited environment, and the CA were moved from a 2k8 server to 2k12R2 before. not sure if all the CA feature-roles were migrated or not.
    symptoms are just like this:
    https://social.technet.microsoft.com/Forums/windows/en-US/67492ab1-fa7d-48fd-9d88-e46b1fca61cc/certificate-enrollment-for-local-system-failed-to-enroll-the-rpc-server-is-unavailable-0x800706ba?forum=winserversecurity
    except problem is not Policy! that is mentioned there..
    I hope you can give me some advise on this

    Post a Reply
    • I’m experiencing the same issue. I’ve been at this all day. Any ideas from anyone else?

      Post a Reply
  79. Thanks for the guide, very useful, thank you!

    I’ve had a slightly weird issue on this, would love to know your thoughts! I set the permissions as per your article on setting up a CRL (https://www.petenetlive.com/KB/Article/0000957), but was still getting access denied when publishing my CRL.

    I discovered that under the ntauthority\system account I could write to C:\CRDL, but not the share \\machinename\CDP$ (Access denied).

    What worked, in the end, was adding the SYSTEM object to the share permissions, this then worked even if I removed the machine object domain\machinename from the share permissions. Ie. my permissions are ‘Everyone : Read’ and ‘SYSTEM : Full control/Change/Read’

    Is this something you’ve come across before?

    My previous AD CS (on WS2016) was a domain controller, configured exactly as in your guide on CRL setup, so not sure if that has any bearing on things? Do those computer accounts behave differently, perhaps?

    Current machine is a fresh built 2019 server, domain joined and with the roles as described above.

    All working, but slightly nervous whenever I don’t know *why* something is working!

    Post a Reply
    • Hi Daniel,
      I’ve not seen this but it will help someone, thanks for the feedback!
      P

      Post a Reply
  80. Hi Pete,

    Thank you very much for detail guide.

    I have one root CA server (Windows 2012) and one issuing Sub CA (intermediate CA) server (Windows 2012). I am going to migrate them to one root CA (Windows 2019) and two issuing Sub intermediate CA servers (Windows 2019). Two issuing Sub CA servers are not in Windows cluster. They are in different data centers for redundancy purpose. They are in one AD tree.

    I do not want to decommission existing issuing Sub CA before testing new issuing CA servers.

    Below are what I want to do:

    1. Export issuing Sub CA from existing server (Windows 2012)

    2. Add two new Sub CAs servers (2019) in the AD tree

    3. Import backup Sub CA cert from step 1 to two new Sub CA servers. There will be three Sub CA servers with same Sub CA cert in the AD.

    4. Test new Sub CAs in NDES server to see if the existing issued device certs are working and new cert can be created.

    5. After successful tests, change NDES to use two new Sub CAs servers and decommission the old one (Windows 2012).

    Do you see any issue with above procedures?

    Will Step 2 and 3 cause any issues to existing Sub CA (Windows 2012) since they have same Sub CA cert?

    Thanks in advance!

    Hong

    Post a Reply
    • You approach seems sensible, just be careful with the NDES – who are your NDES clients? Some Cisco equipment requires old signing algorithms and it’s ‘problematical’ to troubleshoot, why it does not work. I’d work through that on the test bench to make sure a modern CA will give you the NDES/SCEP service your clients require before migrating over.

      Post a Reply
  81. I would like to migrate the certificate from 2008R2 to 2016. Do I face any issue if the new server has the new name. In that case, how clients machine will understand the new certificate since the client machines are configured with OLD cA server name. Please assist.

    Post a Reply
    • Server names are not important, it’s the CA name that’s important that should not change – the CA name might look like the old server name, but if there’s two people called Bob Smith they are not the same person. If we shoot the second Bob Smith the first Bob smith does not die, and his mail still gets to him.

      Post a Reply
  82. We are testing this in the lab. Getting this error when we attempt to publish the Revoked Certificate. “Access is denied 0x800700005 (Win32: 5 ERROR_ACCESS_DENIED).” We added the computer name to the share and ntfs permissions with full control. Any thoughts?

    Post a Reply
  83. Great article. But what do you do when you want to migrate from a sub domain into root of the forest?
    I migrated succesfully but when accessing the web portal I get a certificate mismatch. In the certificate, under “issuer” the sub domain is listed under “DC”. Any new certs issued also include this in the path.

    Post a Reply
  84. Has anyone tried this moving the CA from 2008r2 to 2022standard with a new name?

    Post a Reply
  85. Awesome write-up, thanks Pete. Wanted to grab your brains if I can. In my environment the vendor originally installed 1 offline Root CA and 1 sub-CA (domain member) both running 2012R2.
    Then after some time another Enterprise PKI server 2012R2 was installed. All 2012R2 servers need to be upgraded to 2019. I am planning to follow your recommendations to migrate the Root CA first and then sub-CA and also get rid of enterprise CA server as it just complicates setup. What is your advise on removing enterprise server and steps? Do you see any impact?
    Thanks, Ed

    Post a Reply
    • I’d simply decomission it and leave all mention of it in AD, just in case it;s issued anything important!

      P

      Post a Reply
  86. PeteLong. I have created 2 new DC’s for my buisness. Microsoft 2019 for both. Upgrading from 2012 R2. All has gone fine. I have the roll’s running properly on both new DC’s and they are working just fine. My last step is to cross over my AD CS. What I didnt bother to look at was what DC ran the CS. Well come to find out both of my 2012 DC’s (DC01 (old one) and DC02 (Old one) are running the CS roll’s. I have certs on both old DC’s. I want to put CS roll on my new DC2 (2019) and move my certs to it. What problem I have before I pull the trigger is. I can use your instructions listed above to move the CS roll form (old) DC02 onto (2019) DC2. and I believe I can do this without problems. But how do I get just the certs from (old) DC01 off, and onto DC2 so I can shut down both CS services on the old DC’s? Any help on this would be much appreciated. Thank you so much.

    Post a Reply
    • OK so the question is “what’s left nn DC01” and do you need to keep it? If it’s an enterprise CA your clients will be getting it’s root CA from AD and will continue to trust certs issued from it (for the life of its RootCA cert anyway). So what you actually losing is the ability to ‘revoke’ certs that DC01 issued.

      Post a Reply
      • So what your saying is I should be able to just shut down DC01? Leaving everything as is? and just work at crossing over DC02?

        Post a Reply
        • As long as there’s no CRL paths pointing to it. (look on the issued certs to check)

          Post a Reply
  87. Great article Pete! Many thanks for that!

    What’s the reason you wrote to remove CA role service first and after that the ADCS role itself?
    “REMOVE all the CA role services first! > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services’ > At the pop-up select ‘Remove Features’ > Next.”

    Post a Reply
    • Yeah – not sure why I wrote ‘first!’ – I’ve removed that.

      P

      Post a Reply
  88. Awesome article Pete!

    We’re planning to follow the above guide to migrate the current CS role from server A to B, our CS role is primarily for 802.1x authentication for wireless clients. Can you foresee any issue with the proposed CS migration to Server B which will eventually become the PDC with NPS installed?

    Server A: 2012 R2 (PDC) with DHCP, NPS, DNS, Print and others
    Server B: 2022 (DC) With DNS, Print, Files Shares and NPS roles installed

    Post a Reply
    • Not really – unless NDES is in the mix?

      Post a Reply
  89. After the migration to a new server, is there any issue in keeping the old server running?

    Post a Reply
  90. hi,
    I am planning to do a snapshot then do an inplace upgrade from 2012R2 to 2019. anyone tried that ? would there be any problem doing it? if things go wrong would i be able to restore the snapshot.
    R

    Post a Reply
    • Hi Ahmed,

      Great question! I’ve not done that myself although I did an article o 2012R2 > 2019 in place upgrades the other day. I’d be really interested to see how that goes. Please feed back.

      Post a Reply
      • Hi Pete,
        i just finished upgrading the server and all looks good/green with no issues at all. Tested joining a computer to the domain and testing requesting a certificate from a template.
        1- took a snapshot
        2- uninstalled the graphics driver (windows 2019 doesnt like vmware graphic driver for 2012R2)
        3- uninstalled microsoft antivirus (the old one)
        4- took a backup of the certificate database and the registry files
        5- took a backup of the firewall rules (i upgraded many 2012R2 and some lost their filewall rules so took a habbit orf backing up the rules just in case.
        6- mounted the 2019 ISO and ran the setup. after one hour everything was running fine.

        R
        Ahmed

        Post a Reply
        • Awesome, thanks for the feedback!

          Pete

          Post a Reply
  91. Hi Pete, thanks for the great article,

    I do have a situation, where I migrated a SUBCA from an Active Directory Subdomain to a root AD domain, changing dns hostname and keeping the CA Name.
    When issuing certificates to servers from the newly migrated subca, the Certificates contain in the Issuer Field the old cn of the the subca, like cn=subcaname, DC=sub,DC=dom,DC=pki.
    Regards Sidney

    Post a Reply
    • Remember the CA name should not change, so that’s normal behaviour.

      Post a Reply
  92. Hi Pete, thanks for the great article,

    I do have a situation, where I migrated a SUBCA from an Active Directory Subdomain to a root AD domain, changing dns hostname and keeping the CA Name.
    When issuing certificates to servers from the newly migrated subca, the Certificates contain in the Issuer Field the old cn of the the subca, like cn=subcaname, DC=sub,DC=dom,DC=pki.
    Regards Sven

    Post a Reply
  93. Thank you and Thank you – I am migrating 2003 CA server to 2012 R2 server (I know, ugh) and you have answered so many of the questions my boss will be asking me. I feel so much more confident after reading your article and these questions/responses. You ROCK!

    Post a Reply
  94. Hi Pete,

    I’m a PKI rookie who is working for a client that want their Root CA and Enterprise CA migrated to Server 2022. I was wondering if this guide would be suitable to follow for both CA servers?

    Another question I had, is it required for me to uninstall the ADCS role on the old servers BEFORE I install ADCS role on the new servers? Reason I ask this is because this is a production environment and me being a rookie in the certificate world, would be in a world of trouble if something breaks after the uninstallation of all the CA role services on the old servers.

    Thanks a ton! I really appreciate all the help and knowledge you’ve shared with the community!

    Post a Reply
    • Yes it would be suitable as long as the source is newer than 2008
      Yes you DO need to uninstall the role off the old server first.

      Post a Reply
      • Thanks so much Pete,

        I’m migrating one NPS server as well from 2012 to 2022. Would there be any special considerations to keep in mind after I migrate the CA servers? The guides online are seemingly very straightforward for an NPS server, exporting and importing the NPS configs but I was wondering if there is anything else I should look out for? (certificates that are already issued should still work)

        Post a Reply
        • Good question – NPS on its own should not present a problem, if the exisitng certs were a problem they can be simply renewed

          Post a Reply
          • I am doing the same as Austin but our current CA and NPS roles are on the same 2012R2 server. Is it advisable to separate these roles onto two separate servers or is it okay to stay with the same setup and just migrate both to a new server?

          • Your choice – I see no danger or merit in doing either?

  95. Hey Pete, loved the detailed guide. Used it for migrating my standalone CA from Server 2012 R2 to Server 2022. One thing I faced an issue was the New CA custom templates not appearing to be issued. Easy fix. Just need to make sure on the new CA Server that you add Domain and Enterprise Admins to the Local Group “Certificate Service DCOM Access”. Once I did that, any new templates I made worked like a charm. Guessing it is a good step to include, as it is easily missed and takes a while to figure out.

    Post a Reply
  96. briliant! made it to migrate my CA; the destination server was a core server so we end up the restore process with the certutil command as the gui cant be used in that case, thanks!!!

    Post a Reply
  97. this was one of the most detailed guides I have seen in my years as an IT googler of solutions.
    the steps were clear and the screenshots very helpful. now to wait and see if something is broken

    Post a Reply
  98. Hi Pete, I have a 2012 R2 Enterprise root CA in a sub domain. We’re decommissioning this sub domain in the near future.
    I would like to move this CA into the parent domain. Using a sandbox for testing, during the import of the CA, I get an error “The imported cert does not match the chosen CA type”. I’ve tried all types.
    The first time I tested this it appeared to be succesfull but, received an error of mismatch cert, also the issuer and subject both point back to the path dc=sub domain, dc=rootdomain.
    If succeful import – what happens when the sub domain is decommissioned?
    If failure of import – can I just rebuild a new CA server and what are the steps to rebuild?

    Thank you so much in advance.

    Post a Reply
    • I’ve never attempted this – I’d suggest you simply build a new CA on the root domain (https://www.petenetlive.com/KB/Article/0001309) and before you blow away the existing CA, get your root domain to trust its CA cert so if there’s any overlap at least the issued certificates wont error (assuming there plenty of life left in the CA cert of course).

      Post a Reply
  99. Couple questions.

    Have you heard of any issues with migrating from 2012R2 to 2022? Seen plenty of guides to 2019, but I just want to know if there has been success with going to 2022.

    Second, after the migration, the hostname will be different. Can we just add another DNS alias to the new server’s IP to make sure there are no problems with certificates referencing the CDP? I ask because ideally we would want to decommission the old CA after the migration is done. Would hate to keep an old 2012 server just for the CDP. Reissuing all of the certificates after migration would not be possible in our environment considering how many thousands are out there in use. Some are auto-enrolled through AD and others are manual requests.

    Post a Reply
    • 1. I have seen no issues – anything after 2008 is pretty much the same all the way up to 2022
      2. Yes you can ad an A host record or even a CNAME to cover the naming difference – REMEMBER check you CDP entries they are not always URL related – you might have one that’s points to a service record in AD – just look at an issued certs properties to make sure.

      Post a Reply
      • So we just have the two CDPs on our certificates. I would imaging just updating DNS for the new hostname to add the old hostname as an alias should work. Would we need to update something in AD as well?

        Our URI is a separate web enrollment server that should be unaffected other than having to update the WebClientCAMachine value on the web enrollment server to point to the new CA hostname.

        ldap:///CN=CAname,CN=oldserverhostname,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
        URI: http://location.subdomain.domain.com/CertEnroll/CAName.crl

        Post a Reply
  100. Good morning,

    Great article!!, it has helped me a lot.

    One question, is it possible to have two root CAs on a Windows server?

    Thanks greetings.

    Post a Reply
    • Not that I’m aware of, why would you want to do that?

      Post a Reply
  101. Hi, you didnt mention anything about the root ca or sub ca in your guide.
    Is there any steps you have to take on the root ca, to confirm the new sub ca is allowed to issue certs?
    Thanks

    Post a Reply
    • Hi Bob the root CA is a CA, SubCAs get thier auth from the CA above them, move the root CA first then any sub ordinate CA afterwards.

      Post a Reply
      • Thanks Pete.
        Our root CA is on server 2019, our sub CA is 2012. That is the reason for the question. The root is staying put.

        Post a Reply
        • Understood – so the CA Cert for the SubCA will have bene ussined by the RootCA, – so you need to migrate the SubCA – (which is essentially moving the CA name and the SubCA cert to a new servers – (which can be called whatever you want)).

          Post a Reply
          • Ok thanks. Do we not need to change anything on the Root CA though?
            E.g. is there not a trust relationship between the Root CA and Sub CA and will we not need to update the Root CA to have a new trust with the new Sub CA?

          • No as long at the RootCa is the next cert in the subCA certificate chain

  102. If we have a 2 Tier PKI setup , one offline ROOT CA ( Windows server 2012) & online CA ( Windows server 2012). Does it matter if I upgrade the online CA server first?

    Kind regards,

    Johnny

    Post a Reply
    • In all honesty – I dont think so, as long as you retain the SubCA cert on the online CA and the SubCA name remains the same name. I’ve not done this in anger though, I usually start at the root and work downwards.

      Post a Reply
  103. Awesome article, thanks for writing it.
    I was wondering if AD replication needs to be taken into consideration when removing the role from the old server and then installing/restoring on the new server?
    We have remote sites on a longer AD replication time, so should we manually start a replication after removing the old server role? Or does this not matter?

    Post a Reply
    • Valid point – but the tmeplates are stored intenrally in AD anyway and the internal LDAP referneces dont change – I would guess it does not matter (but that is a guess!)

      Post a Reply
  104. Thanks Pete.

    Worked like a charm from 2012R2 to 2019.

    Post a Reply
  105. Pete,

    Have you ever since this message before?

    “The imported certificate does not match the chosen ca type and will not be used. however, the imported key can still be used.”

    I was following your steps for migrating the CA from Server 2012R2 to Server 2022. I am selecting the correct CA type, which is enterprise and root. But for some reason this message just keeps popping up and can’t continue the process unless I fix that first.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *