This post is to demonstrate the process to migrate Microsoft Certificate Authority Service (Enterprise Root CA) to Windows Server 2022.
Environment
- Source: Windows Server 2016 Standard with Certificate Authority roles installed
- Destination: Windows Server 2022 Standard
- Reason for the migration: Server refreshment
- Migration Context: Source and Destination server names are different, for Example, oldCA.ictfella.com to newCA.ictfella.com. However, the CA service name remains the same.
Backup/Export the Config and Private Key
Open up Certificate Authority Management Console, expand “Certification Authority (local), right-click on the “CA Service Name – All Tasks – Back up CA” to initialize the Backup Wizard, then click Next
![](https://ictfella.com/wp-content/uploads/2022/02/certsrv-back-up-ca.png)
![Certificate-authority-backup-wizard-welcome](https://ictfella.com/wp-content/uploads/2022/02/certificate-authority-backup-wizard-welcome.png)
Tick boxes to select the items to back up, then browse to the backup path/location like below
![Certificate-authority-backup-wizard-items-to-back-up](https://ictfella.com/wp-content/uploads/2022/02/certificate-authority-backup-wizard-items-to-back-up.png)
Provide a password for the private key, then complete the wizard
![Certificate-authority-backup-wizard-select-a-password](https://ictfella.com/wp-content/uploads/2022/02/certificate-authority-backup-wizard-select-a-password.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-authority-backup-wizard-completing.png)
Back up the CA register key
Type “regedit” in Search and run it as Administrator
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-server-cmd-regedit-run-ass-administrator.png)
Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSVC\Configuration”, right-click on the CA Service Name and select “Export”
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-server-registry-export-path.png)
Browse to a path, give it a name, in my example you will see it is with the CA backup files in “C:\temp”
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-server-registry-backup-file-name.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-server-backup-registry.png)
Uninstall the AD Certificate Service on the Source(old) CA server
Go to “Server Manager – Manage – Remove Roles and Features” and start the wizard
![](https://ictfella.com/wp-content/uploads/2022/02/server-manager-remove-roles-and-features-wizard.png)
![remove-roles-and-features-wizard-before-you-begin](https://ictfella.com/wp-content/uploads/2022/02/remove-roles-and-features-wizard-before-you-begin.png)
Select your old server and remove the “Certification Authority”
![](https://ictfella.com/wp-content/uploads/2022/02/remove-roles-and-features-wizard-server-selection.png)
![remove-roles-and-features-wizard-server-roles](https://ictfella.com/wp-content/uploads/2022/02/remove-roles-and-features-wizard-server-roles.png)
Remove the “Remote Server Administration Tools” in the popped-up window and next to complete the removal progress
![](https://ictfella.com/wp-content/uploads/2022/02/remove-roles-and-features-wizard-features.png)
![](https://ictfella.com/wp-content/uploads/2022/02/remove-roles-and-features-wizard-confirmation.png)
![](https://ictfella.com/wp-content/uploads/2022/02/remove-roles-and-features-wizard-results.png)
Install Certificate Services on the Destination Server
Go to “Server Manager – Add Roles and Features” to start the installation wizard
![](https://ictfella.com/wp-content/uploads/2022/02/image-16-1024x424.png)
![active-directory-certificate-services-before-you-begin-detination](https://ictfella.com/wp-content/uploads/2022/02/active-directory-certificate-services-before-you-begin-detination.png)
Select your destination server, then select Role-based or feature-based installation
![](https://ictfella.com/wp-content/uploads/2022/02/active-directory-certificate-services-installation-type-destination.png)
![](https://ictfella.com/wp-content/uploads/2022/02/active-directory-certificate-services-select-destination-server.png)
Select “Active Directory Certificate Service” and include management tools, click next on the Features page
![active-directory-certificate-services-server-roles](https://ictfella.com/wp-content/uploads/2022/02/active-directory-certificate-services-server-roles.png)
![](https://ictfella.com/wp-content/uploads/2022/02/active-directory-certificate-services-features.png)
Select “Certification Authority” roles Services
![](https://ictfella.com/wp-content/uploads/2022/02/active-directory-certificate-services-introduction.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-authority-select-roles-services.png)
Confirm installation selections and complete the process, you then can select “Configure Active Directory Certificate Services”
![add-roles-and-features-wizard-confirmation](https://ictfella.com/wp-content/uploads/2022/02/add-roles-and-features-wizard-confirmation.png)
![configure-active-directory-certificate-services-on](https://ictfella.com/wp-content/uploads/2022/02/configure-active-directory-certificate-services-on.png)
Use your Domain Admin Credential, and make sure “Certification Authority” is selected
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-role-services-credentials.png)
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-role-services.png)
Specify the Enterprise CA and Root CA as it is configured on the Source Server
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-setup-type.png)
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-specify-ca-type.png)
Select “Use existing private key” and “select a certificate and use its associated private key”, and browse to where you keep your backup, enter the private key password. ( assume you have copied the backup files and registry key already)
![](https://ictfella.com/wp-content/uploads/2022/02/image-31.png)
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-import-existing-certificate.png)
You will see the existing cert is showing, click next then configure database location, we will just use the default
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-existing-certificate.png)
![ad-cs-configuration-database-locations](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-database-locations.png)
Click “Configure” on the confirmation page and let it finish
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-confirmation.png)
![](https://ictfella.com/wp-content/uploads/2022/02/ad-cs-configuration-succeeded.png)
Import the Registry key
Stop the Certificate Sevice using CMD “net stop certsvc“
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-net-stop-certsvc.png)
Open up your registry key and search for “CAServerName”, change the name to the new server name such as “newCA.ictfella.com”
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-registry-caservername.png)
You then right-click on the registry key and select Merge, then complete the registry key import
![certification-authority-registry-merge](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-registry-merge.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-registry-editor-want-to-continue.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-registry-editor-added.png)
Import the CA Configuration/Database
On the new CA server and right-click on the CA Service Name, select “Restore CA” to start the wizard
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-restore-ca.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-restore-wizard-welcome.png)
Select the items you want to restore and put your private key password in
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-restore-select-items.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-restore-provide-private-key.png)
Complete the Certification Authority Restore Wizard
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-restore-completing-wizard.png)
![](https://ictfella.com/wp-content/uploads/2022/02/certification-authority-restore-operation-is-complete.png)
Test new CA server
From a Domain Joined workstation, type “MMC” in search and run it as administrator, and select “Add/Remove Snap-in”
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-add-snap-in.png)
Click on “Certificates” and select “Computer account”
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-snap-ins-computer-account.png)
Go to Certificates – Personal, then right-click on the blank space, then “All Tasks – Request New Certificate”, you then can choose your CA template and test out the new server, please be aware of the “CA Service Name” remains the same in this scenario.
![](https://ictfella.com/wp-content/uploads/2022/02/certificate-local-computer-personal.png)
Useful links
How to move a certification authority to another server