Moving Certificate Services To Another Server

KB ID 0001473


If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate eServices to another server, the procedure is pretty straight forward.

BE AWARE: We are moving the CA Server, NOT the server name/FQDN, the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that what we are going to move.

So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I cant see the point of?

Here I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.

Update Jun 2019: Used the same procedure today, to move from Server 2012R2 to Server 2019.


On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.

Transfer CA to Another Server

The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.

Backup CA Settings Wizard

Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > {CA-NAME}

Export a copy of this key, (save it in the same folder that you backed up to earlier).

Export CA Settings Windows 2016

Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.

Remove Roles Server 2016

REMOVE all the CA role services first! > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services > At the pop-up select ‘Remove Features” > Next.

Remove CA Roles Windows 2016

Next > Next > Next > Close.

Transfer Certificate Services to Server 2016

Setup Certificate Services on the Target/New Server

Server Manager > Add Roles and Features > Next.

Install Role or Feature 2016

Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.

Install CA Role 2016

For now let’s just stick the Certification Authority > Add the other role services later* > Next.

*Note: I’ve written about all these role services before, just use the search function, (above.) If you are unsure what they all do.

Install Certificate Services Role 2016

Next > Close.

Setup Certificate Services

Warning > Configure Active Directory Certificate Services > Next.

Restore Certificate Services

Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.

Configure 2016 Certificate Services

> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.

Restore Certificate Services Differnet Server

Next > Next > Configure >  Close.

Migrate Certificate Services Differnet Server

Stop Certificate Services;

net stop certsvc

Stop Certificate Services

If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, Locate and change the CAServerName entry to the name of the NEW server.

Change CA Server Name

Right click the registry backup > Merge > Yes > OK.

Import CA Settings to Registry

Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.

Restore Windows CA

The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.

2016 Restore Windows CA Wizard

You will be prompted to start the Certificate Services service > Yes.

Restart Restored Windows CA

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Thank you for submitting the new hostname CA server Fix.

    Post a Reply
  2. Nice and clear walkthrough

    I used this to perform a move for the CA service on a pair of 2012 R2 servers.

    No issues were experienced beyond ensuring *NOT* to select the “database” sub-directory when performing the final restore, use the parent directory.

    Thanks for taking the time to write and present this so well.


    Post a Reply
    • No problem Stu, thanks for the feedback.

      Post a Reply
  3. Thanks for the nice and concise write-up. I’ll be using it to migrate a 2008R2 CA to a 2016 server. Quick question, do I need to back up and restore the cert templates too?


    Post a Reply
  4. Any downtime for this? Considering doing this during the day.

    Post a Reply
    • Only for the PKI service while you swap over 🙂 Users probably won’t even notice.

      Post a Reply
  5. Worked on 2019 as well

    Post a Reply
  6. Can you install the new CA role but not restore the services prior to doing the swap? Would speed up the process not fully removing old and then installing new etc.

    Post a Reply
  7. Excellent ! I would have never figured that out, especially the registry modification.
    Move a 2012R2 over to 2019 Server not issues.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *