Accomplished systems and network administrator with 10+ years of experience managing server infrastructures and data-center operations.
Microsoft ended the support of Windows 2003R2 on July 14, 2015. However, some businesses still run that version due to the complexities in migrating applications and services across to a newer version of the Windows operating system.
I've decided to do a tutorial on upgrading from Windows 2003R2 Certificate Authority (CA) because I had to migrate one recently.
We cannot upgrade the CA directly from 2003R2 to 2019. We need to upgrade to a version of Windows prior to 2019 first. The 2003R2 CA database is not compatible with the 2019 CA version. In this tutorial, we will use 2012R2 as the intermediate version.
If the CA is running on any version of Windows from 2008R2 and later, it can be upgraded to 2019 directly.
The following is a high-level summary of the steps we’ll use to migrate a CA from one server to another.
Summary of Steps
On the original server:
- Backup the CA
- Backup the CA registry key
- Uninstall the CA role
On the destination server:
- Install the CA role
- Configure the CA
- Import the CA certificate
- Modify the exported registry key’s Server Name entry with the name of the new server
- Stop the CA Service
- Import the modified Registry Key
- Restore the CA database
- Start up the CA Service
Back up the Certificate Authority
Open up the Certification Authority application.
Right Click on the name of the certificate authority and select Backup CA.
Select Private Key and CA Certificate, and Certificate database and certificate database log, and select a location to store the backup files. Hit Next.
Enter the password. This password will be used later to restore the root CA certificate and backup files. Hit Next.
Back up the CA Registry Key
Use Regedit to export the registry key for the certificate authority service.
Navigate to :
Right click the key with the name of the root CA and select Export.
Type in a name to save the file. For convenience, I will store the exported registry file in the same folder as the CA backup files.
We should have something like below in the folder that has our CA backup files and registry export.
Uninstall the CA Role
We now need to remove the Certificate Authority role from the server.
In Windows 2003R2, we need to navigate to Control Panel->Add or Remove Programs.
Select Add/Remove Windows Components
Untick Certificate Services, and click Next.
Install the CA Role on the Destination Server
The intermediate server we are going to pick to migrate to is the Windows Server 2012R2 server. We could have picked to migrate to any operating system from 2008R2 to 2016 directly from 2003R2.
Open Server Manager, and select Add roles and features.
Select Role-based or feature-based installation. Then click Next.
Select Active Directory Certificate Service
Click Add Features when you get this prompt after the select Active Directory Certificate Wizard
Select Certification Authority.
The Add Roles and Features Wizard will prompt to ask if you want to add additional required roles and features.
Select Add Features.
For an intermediary migration, we don't need to select any other role services.
However, for this tutorial, I will select the Certification Authority Web Enrollment role service as well.
Accept the defaults and click Next.
Configure the CA
Server Manager will now have a yellow exclamation mark.
It wants us to configure the Active Directory Certificate Services which we have just installed.
Click on the link in the message.
For the credential, enter the credentials that have Enterprise Administrator rights. Click Next.
Select the role services, and click Next.
Select Enterprise CA. Click Next.
Select Root CA. Click Next.
Import the CA Certificate
Choose Use existing private key, and choose Select a certificate and use its associated private key. Click Next.
Navigate to the certificate in the folder that contains the CA backups, and enter the password we had used earlier.
Select the certificate, and click Next.
Accept the default locations.
Modify the Exported Registry Key
We will need to import the registry key next. Modify the registry key using NOTEPAD.
Locate CAServerName and change it to the name of the server where we are currently migrating to.
Stop the CA Service
Stop the CA Service.
Import the Modified Registry Key
Double click on the exported registry key. A message will appear. Click Yes to continue.
Restore the CA Database
We now need to restore the CA backups. Right click on the CA name and select All Tasks -> Restore CA
Locate the backup folder using Browse and click Next
Enter the password we used earlier. Click Next.
Click Yes to the prompt about starting up Active Directory Certificate Services.
This now completes the migration to the intermediate server.
Migrating the CA From the Intermediate Server to the Final Destination Server
The preceding steps will need to be repeated to migrate from the intermediate server to the final destination server.
I will only show a brief outline of this last phase in this tutorial, because aside from the GUI differences between 2003R2 and 2012R2, the steps are the same.
Backup the CA on the Intermediate Server
We need to backup the CA database and export the CA registry key. Then we uninstall the CA role.
Uninstall the CA on the Intermediate Server
You need to uninstall the Certificate Authority Web Enrollment role service first.
After that has been uninstalled, you can then proceed to uninstall the Certification Authority role service.
On the Final Destination Server
Follow Steps 1 to 8 from the Summary section for actions to perform on the destination server. Use the screen shots in the previous steps that were performed on the intermediate server as the GUI for the Add Server roles are close to being identical between 2012R2 and 2019.
The migration steps are straightforward. However, there is one GOTCHA that is there every time I have done one of these.
There is one gotcha that I have not seen in other articles about migrating root CAs, yet is there on all the occasions that I have done the CA migrations.
Most CA installations use the default settings during installation. This means that the CRL URL are pointing to the server name that the CA was installed to. When you migrate to the new server, any newly issued certificates will have the new CRL URL location, which points to the new server.
However, existing certificates, while valid, will still be looking at the old CRL URL to obtain the certificate revocation list.
After migration, any services that use a certificate will still function even if you haven't re-issued a new certificate to the device or service. However, after about a week, the certificate revocation list will be stale, and a service is usually configured to not use a certificate if it can't access or retrieve an updated certificate revocation list. This usually means the service will stop working.
You got two options in this situation. Re-issue a new certificate to the device or service, or set up the CA so that it publishes the certificate revocation list to the original CRL URLs as well.
Another gotcha I saw a few times is that any new templates you create do not get published, so you are not able to issue a new certificate template.
I had to Google this issue, and it was the flags attribute was no longer set to 10 for the following AD object CN=Enrollment Services, CN=Public Key Services, CN=Services, CN=Configuration,DC=<domainname>.
You can use ADSI Edit to modify the above flags setting.
This content is accurate and true to the best of the author’s knowledge and is not meant to substitute for formal and individualized advice from a qualified professional.
© 2021 sengstar2005