Moving Certificate Services To Another Server

KB ID 0001473

Problem

If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.

BE AWARE: We are moving the CA Server Name , NOT the Server Name (FQDN), the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that what we are going to move.

So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of?

In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.

Solution

On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.

Transfer CA to Another Server

The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.

Backup CA Settings Wizard

Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > {CA-NAME}

Export a copy of this key, (save it in the same folder that you backed up to earlier).

Export CA Settings Windows 2016

Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.

Remove Roles Server 2016

REMOVE all the CA role services first! > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services > At the pop-up select ‘Remove Features” > Next.

Remove CA Roles Windows 2016

Next > Next > Next > Close.

Transfer Certificate Services to Server 2016

Setup Certificate Services on the Target/New Server

Server Manager > Add Roles and Features > Next.

Install Role or Feature 2016

Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.

Install CA Role 2016

For now let’s just stick the Certification Authority > Add the other role services later* > Next.

*Note: I’ve written about all these role services before, just use the search function, (above.) If you are unsure what they all do.

Install Certificate Services Role 2016

Next > Close.

Setup Certificate Services

Warning > Configure Active Directory Certificate Services > Next.

Restore Certificate Services

Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.

Configure 2016 Certificate Services

> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.

Restore Certificate Services Differnet Server

Next > Next > Configure >  Close.

Migrate Certificate Services Differnet Server

Stop Certificate Services;

net stop certsvc

Stop Certificate Services

If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, Locate and change the CAServerName entry to the name of the NEW server.

Change CA Server Name

Right click the registry backup > Merge > Yes > OK.

Import CA Settings to Registry

Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.

Restore Windows CA

The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.

2016 Restore Windows CA Wizard

You will be prompted to start the Certificate Services service > Yes.

Restart Restored Windows CA

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

33 Comments

  1. Thank you for submitting the new hostname CA server Fix.

    Post a Reply
  2. Nice and clear walkthrough

    I used this to perform a move for the CA service on a pair of 2012 R2 servers.

    No issues were experienced beyond ensuring *NOT* to select the “database” sub-directory when performing the final restore, use the parent directory.

    Thanks for taking the time to write and present this so well.

    Stu

    Post a Reply
    • No problem Stu, thanks for the feedback.

      Post a Reply
  3. Thanks for the nice and concise write-up. I’ll be using it to migrate a 2008R2 CA to a 2016 server. Quick question, do I need to back up and restore the cert templates too?

    -George

    Post a Reply
  4. Any downtime for this? Considering doing this during the day.

    Post a Reply
    • Only for the PKI service while you swap over 🙂 Users probably won’t even notice.

      Post a Reply
  5. Worked on 2019 as well

    Post a Reply
  6. Can you install the new CA role but not restore the services prior to doing the swap? Would speed up the process not fully removing old and then installing new etc.

    Post a Reply
    • It is not possible because:
      It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the
      CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation. The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server
      restores the source CA if migration fails and performing a rollback is required. See Restoring AD CS to the source server in the event of migration failure.

      Post a Reply
      • I’ve seen a couple different takes on this…

        One states that the removal of the CA roles on the one server is absolutely necessary prior to adding and configuring them on the replacement server.

        Another states that one can simply force the one server offline (e.g. disable the NIC) so it’s not available when the replacement server comes online.

        You clearly take the first position, and it makes sense. It’s a bit nerve-wracking, even with the rollback options, but it makes sense.

        Question: If the replacement server has a different hostname, and the certificates show the original server’s hostname as part of their CRL Distribution Point, will the steps in this article account for those, or will I need to take additional steps such as creating a CAPolicy.inf file?

        Alternatively, I’ve considered just making a separate DNS entry for the old hostname pointing at the new IP.

        Post a Reply
  7. Excellent ! I would have never figured that out, especially the registry modification.
    Move a 2012R2 over to 2019 Server not issues.

    Post a Reply
  8. Some articles say to change the name of the new CA Server to match the old CA server after you decommission the old CA server… so this is NOT necessary right? The only thing is the new server name will not match the CA name right? Oh and you would not need to modify CAServername registry entry….

    Post a Reply
    • I don’t (usually) and I’ve never had a problem?

      P

      Post a Reply
  9. Thanks for the article, good work!

    What about the AIA and CDP distribution points, and the CRL urls? Do you need to do anything to those to change them etc?

    Post a Reply
    • That is a great point! If you are retaining the server name, things like AIA will probably be the same, but CRL and OSCP may well need to man manually recreated (with the same paths, or changed to the new server name).

      Post a Reply
  10. Thanks the article is very straight forward. My question as I prepare to move my CA to a new server is how do the clients find the CA?

    If the CA was one name or on one server how do they find it when I move to a new server with a different name?

    Thanks,
    Dave

    Post a Reply
    • They will find it in Active Directory 🙂

      Post a Reply
      • So it will replicate the changes with AD?

        I only ask because its a huge move considering if things don’t work my users wont be able to login.

        And thanks so much for taking the time to answer me.

        Post a Reply
        • Even if you are doing 801.x authentication the root CA cert will be the same, all previously issued certs will remain trusted. 🙂

          Post a Reply
  11. Awesome, thank you so much

    Post a Reply
  12. Is it safe to assume same steps would work migrating from 2008 R2 to 2016 Server?
    I already have prepped 2016 server that is domain joined.
    Would you also recommend making it a domain controller since my 2008 CA is also a domain controller
    with schema master role assigned? I was planning on moving that role ahead of time, but should I still make it a domain controller ?
    Thank You

    Post a Reply
    • Yes in fact I’ve done it in anger 🙂

      Post a Reply
      • PeteLong when you say Yes to Luke, which question are you saying Yes to? I was thinking of taking this opportunity to move my CA off of my 2012 DC and moving it to a member server. Everything I see says to keep it off of a CA so that is why I’m looking at it.

        I was thinking I could bring up a new DC2019 and then demote the DC2012 (that has the CA on it). Now it’s just a member server. I could then install a new MemberServer 2019 and move the CA from the 2012 server to it.

        What are your thoughts on this process?

        Post a Reply
        • I mean the upgrade/migration process will work.
          I don’t recommend making it a domain controller, (unless you have no choice).
          Treat migrating domain controllers and migrating CA’s as a separate thing!

          Post a Reply
  13. I have something similar to this but I wanted to see if someone can comment on this: i have a CA server on an old 2008 R2 enterprise domain controller which I want to retire I also have two additional one is 2012 R2 and the other one is a 2016. all roles are managed by the 2012 DC
    is it advisable to just install CA services on both 2012 and 2106 DCs and retire the 2008 DC or do i need to migrate the DB from the 2008 into one of the other two domain controllers?

    Any feedback would be greatly appreciated. thanks, Wil

    Post a Reply
    • Migrate the Root CA, then simply remove the CA roles from the SubCA servers and create some new ones, take a backup of them before you kill them in case you need to retain the intermediate CA certificates for any reason (i.e. 802.1x, or NDES, or appliances you manually put certificates on).

      P

      Post a Reply
  14. What an excellent article. I’ll be using this as a guide to migrate a 2012 R2 CA to 2016 this week.

    One quick (I hope) question: We’ll be changing the hostname and IP address of our CA. Is it strictly necessary to remove the CA roles from the original CA prior to installing those roles on the new CA? Or, can the original CA be shut down pending successful migration?

    Post a Reply
    • Well no it’s not strictly necessary, but the CA can only exist in one place, the sever-name and the CA name are NOT the same, as soon as the CA is imported and online on the new server it CANNOT be online on the old one 🙂

      P

      Post a Reply
      • Perfect. Thanks again! Sounds like the best way to ensure some fallback plan (or management peace-of-mind, anyway) is to disable the NIC on the server hosting the old CA so, even powered on, it can’t talk to others. Out-of-Band-Management is obviously key to being able to do this.

        Then, once we’ve got green light on the new CA on the new server, we can remove the roles from the old server.

        Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *