How to Upgrade/Move your Enterprise Certification Authority (CA) from 2008 R2 to 2012 R2 - Part 1

Posted by Ahmed Nabil In | 9 comments»
In this series we will be going through the main steps to migrate and move our Enterprise Subordinate Certification Authority from Windows 2008 R2 server to Windows 2012 R2 Server (Side by Side move). In Part 1 of this series I will be discussing the main requirements and preparation done on the Source Server (CA on 2008 R2)

Key things to note:

  1. If you would like to have the new CA server computer name same as the old one then you will need to decommission and remove the old server from the domain prior to building the new server. In our case i will keep the old server (Just disable the Certificate Windows services) and have the new server with new name (Just in case you need to revert back at any time)                                                                    
  2. During the Migration and setup of CA on the new server no certificates or CRLs will be issued. Its preferred to run this after hours. Plan to publish a CRL that will cover the downtime period.                                                                                 
  3. User running the migration should be member of Enterprise Admins or Domain Admins group.

Source Server (2008 R2) Preparation

  1. Publish a new CRL to ensure that your migration period is covered. Open Certification Authority - Right Click Revoked Certificates - All Tasks - Publish                                                                                  
  2. Take a backup from the Current Source CA (2008R2 server) - Right Click Certification Authority - All Tasks - Back Up CA                                                                                                        
                                                  Make sure to pick both check boxes as shown above   (Private Key, CA Cert and DB). Store them in a dedicated empty folder (will be copied later to the destination server).                              
  3. After picking a password and finishing the Wizard check the Backup folder (In our case C:\CA_Backup). We should have a CAname.P12 file and a Database folder.                                                        
  4. Next step will be taking a backup from the CA configuration in the registry as another check point/line of defense (hopefully won't be needed). Navigate to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and right click configuration and take an Export and save the output REG file in the same Backup location.                                                                                                      
  5. If a Custom CApolicy is used then we need to copy the CApolicy.inf file from the C:\Windows (Default location) to the backup folder created earlier.                                                                                 
  6. Final step to be done on the Source CA server is to stop the certification Authority service and change its start up to be disabled in case anyone by mistake tried to start it (Remember we will be keeping the source server for some time till everything is up on the new server)                                                             

This should conclude Part 1 of this series, In Part 2 we will install the CA on the new 2012 R2 and restore the backup taken on the old  2008 R2.  Hopefully this has been beneficial and see you on the next Part.



Scott Haner Says:

Good Afternoon, did you ever publish a Part 2 to this article? Part 1 is very well written.

Michael Nguyen Says:

Yes, this is the perfect scenario I am currently working on so I would be interested in next steps. Please let us know when the next parts of the article will be available

Bert Suk Says:

When will the Part 2 be published?
Part 1 was very good!

Ahmed Nabil Says:

Part 2 Will be coming within few days

Grumling Says:

Looking forward to part 2. Will do this soon, but will go from windows 2003 to 2012r2

Clayton Says:

few days huh? :)

Michael Rodriguez Says:

Was there ever a Part 2 posted?

Jeremy Poletto Says:

Would love to see Part 2. Link?

Scott Haner Says:

From my end, everything I've researched since for our Enterprise environment, the "best" solution that seems to work well, is to plan an In-Place upgrade of your CA Server to Server 2012 R2. Obviously harder for Grumling above coming from Server 2003.

I've continued to research since commenting here, and any method I've seen that "kind of" works to migrate CA to a server of a different name involves some heavy ADSI Edit, and leaves some potential for an unreliable Root CA/PKI, which you probably don't want in a Production environment, and definitely not supported by Microsoft.

For now, it sounds like the best route is either In-Place upgrade of your root CA, or you build a "new" Root CA, and progressively re-issue new Certs, which can be a huge task. Our plan in our large environment is to do an In-Place upgrade of our Root CA from 2008 R2 to 2012 R2. If it works, I'll do a quick write-up on

Post a Comment