How to Migrate Microsoft Certificate Authority service to Server 2022

This post is to demonstrate the process to migrate Microsoft Certificate Authority Service (Enterprise Root CA) to Windows Server 2022.


  • Source: Windows Server 2016 Standard with Certificate Authority roles installed
  • Destination: Windows Server 2022 Standard
  • Reason for the migration: Server refreshment
  • Migration Context: Source and Destination server names are different, for Example, to However, the CA service name remains the same.

Backup/Export the Config and Private Key

Open up Certificate Authority Management Console, expand “Certification Authority (local), right-click on the “CA Service Name – All Tasks – Back up CA” to initialize the Backup Wizard, then click Next


Tick boxes to select the items to back up, then browse to the backup path/location like below


Provide a password for the private key, then complete the wizard


Back up the CA register key

Type “regedit” in Search and run it as Administrator

Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSVC\Configuration”, right-click on the CA Service Name and select “Export”

Browse to a path, give it a name, in my example you will see it is with the CA backup files in “C:\temp”

Uninstall the AD Certificate Service on the Source(old) CA server

Go to “Server Manager – Manage – Remove Roles and Features” and start the wizard


Select your old server and remove the “Certification Authority”


Remove the “Remote Server Administration Tools” in the popped-up window and next to complete the removal progress

Install Certificate Services on the Destination Server

Go to “Server Manager – Add Roles and Features” to start the installation wizard


Select your destination server, then select Role-based or feature-based installation

Select “Active Directory Certificate Service” and include management tools, click next on the Features page


Select “Certification Authority” roles Services

Confirm installation selections and complete the process, you then can select “Configure Active Directory Certificate Services”


Use your Domain Admin Credential, and make sure “Certification Authority” is selected

Specify the Enterprise CA and Root CA as it is configured on the Source Server

Select “Use existing private key” and “select a certificate and use its associated private key”, and browse to where you keep your backup, enter the private key password. ( assume you have copied the backup files and registry key already)

You will see the existing cert is showing, click next then configure database location, we will just use the default


Click “Configure” on the confirmation page and let it finish

Import the Registry key

Stop the Certificate Sevice using CMD “net stop certsvc

Open up your registry key and search for “CAServerName”, change the name to the new server name such as “”

You then right-click on the registry key and select Merge, then complete the registry key import


Import the CA Configuration/Database

On the new CA server and right-click on the CA Service Name, select “Restore CA” to start the wizard

Select the items you want to restore and put your private key password in

Complete the Certification Authority Restore Wizard

Test new CA server

From a Domain Joined workstation, type “MMC” in search and run it as administrator, and select “Add/Remove Snap-in”

Click on “Certificates” and select “Computer account”

Go to Certificates – Personal, then right-click on the blank space, then “All Tasks – Request New Certificate”, you then can choose your CA template and test out the new server, please be aware of the “CA Service Name” remains the same in this scenario.

How to move a certification authority to another server

Leave a Comment

Your email address will not be published. Required fields are marked *