Updated date:

Migrate the Root Certificate Authority to Windows Server 2019

Accomplished systems and network administrator with 10+ years of experience managing server infrastructures and data-center operations.

Microsoft ended the support of Windows 2003R2 on July 14, 2015. However, some businesses still run that version due to the complexities in migrating applications and services across to a newer version of the Windows operating system.

I've decided to do a tutorial on upgrading from Windows 2003R2 Certificate Authority (CA) because I had to migrate one recently.

We cannot upgrade the CA directly from 2003R2 to 2019. We need to upgrade to a version of Windows prior to 2019 first. The 2003R2 CA database is not compatible with the 2019 CA version. In this tutorial, we will use 2012R2 as the intermediate version.

If the CA is running on any version of Windows from 2008R2 and later, it can be upgraded to 2019 directly.

The following is a high-level summary of the steps we’ll use to migrate a CA from one server to another.

migrate-ca-from-windows-2003r2-to-2019-server

Summary of Steps

On the original server:

  1. Backup the CA
  2. Backup the CA registry key
  3. Uninstall the CA role

On the destination server:

  1. Install the CA role
  2. Configure the CA
  3. Import the CA certificate
  4. Modify the exported registry key’s Server Name entry with the name of the new server
  5. Stop the CA Service
  6. Import the modified Registry Key
  7. Restore the CA database
  8. Start up the CA Service

Back up the Certificate Authority

Open up the Certification Authority application.

migrate-ca-from-windows-2003r2-to-2019-server

Right Click on the name of the certificate authority and select Backup CA.

migrate-ca-from-windows-2003r2-to-2019-server
Hit Next

Hit Next

Select Private Key and CA Certificate, and Certificate database and certificate database log, and select a location to store the backup files. Hit Next.

migrate-ca-from-windows-2003r2-to-2019-server

Enter the password. This password will be used later to restore the root CA certificate and backup files. Hit Next.

migrate-ca-from-windows-2003r2-to-2019-server
Hit Finish

Hit Finish

Back up the CA Registry Key

Use Regedit to export the registry key for the certificate authority service.

migrate-ca-from-windows-2003r2-to-2019-server

Navigate to :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSVC\Configuration

Right click the key with the name of the root CA and select Export.

migrate-ca-from-windows-2003r2-to-2019-server

Type in a name to save the file. For convenience, I will store the exported registry file in the same folder as the CA backup files.

migrate-ca-from-windows-2003r2-to-2019-server

We should have something like below in the folder that has our CA backup files and registry export.

migrate-ca-from-windows-2003r2-to-2019-server

Uninstall the CA Role

We now need to remove the Certificate Authority role from the server.

In Windows 2003R2, we need to navigate to Control Panel->Add or Remove Programs.

migrate-ca-from-windows-2003r2-to-2019-server

Select Add/Remove Windows Components

migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server

Untick Certificate Services, and click Next.

migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server
Click Finish

Click Finish

Install the CA Role on the Destination Server

The intermediate server we are going to pick to migrate to is the Windows Server 2012R2 server. We could have picked to migrate to any operating system from 2008R2 to 2016 directly from 2003R2.

Open Server Manager, and select Add roles and features.

migrate-ca-from-windows-2003r2-to-2019-server
Click Next

Click Next

Select Role-based or feature-based installation. Then click Next.

migrate-ca-from-windows-2003r2-to-2019-server
Click Next

Click Next

Select Active Directory Certificate Service

migrate-ca-from-windows-2003r2-to-2019-server

Click Add Features when you get this prompt after the select Active Directory Certificate Wizard

migrate-ca-from-windows-2003r2-to-2019-server
Click Next

Click Next

Click Next

Click Next

Click Next

Click Next

Select Certification Authority.

migrate-ca-from-windows-2003r2-to-2019-server

The Add Roles and Features Wizard will prompt to ask if you want to add additional required roles and features.

Select Add Features.

migrate-ca-from-windows-2003r2-to-2019-server

For an intermediary migration, we don't need to select any other role services.

However, for this tutorial, I will select the Certification Authority Web Enrollment role service as well.

Click Next.

Click Next

Click Next

migrate-ca-from-windows-2003r2-to-2019-server

Accept the defaults and click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Click Install.

migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server

Configure the CA

Server Manager will now have a yellow exclamation mark.

It wants us to configure the Active Directory Certificate Services which we have just installed.

Click on the link in the message.

Recommended for you

migrate-ca-from-windows-2003r2-to-2019-server

For the credential, enter the credentials that have Enterprise Administrator rights. Click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Select the role services, and click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Select Enterprise CA. Click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Select Root CA. Click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Import the CA Certificate

Choose Use existing private key, and choose Select a certificate and use its associated private key. Click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Click Import.

migrate-ca-from-windows-2003r2-to-2019-server

Navigate to the certificate in the folder that contains the CA backups, and enter the password we had used earlier.

migrate-ca-from-windows-2003r2-to-2019-server

Select the certificate, and click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Accept the default locations.

migrate-ca-from-windows-2003r2-to-2019-server

Click Configure.

migrate-ca-from-windows-2003r2-to-2019-server

Click Close.

migrate-ca-from-windows-2003r2-to-2019-server

Modify the Exported Registry Key

We will need to import the registry key next. Modify the registry key using NOTEPAD.

migrate-ca-from-windows-2003r2-to-2019-server

Locate CAServerName and change it to the name of the server where we are currently migrating to.

migrate-ca-from-windows-2003r2-to-2019-server

Stop the CA Service

Stop the CA Service.

migrate-ca-from-windows-2003r2-to-2019-server

Import the Modified Registry Key

Double click on the exported registry key. A message will appear. Click Yes to continue.

migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server

Restore the CA Database

We now need to restore the CA backups. Right click on the CA name and select All Tasks -> Restore CA

migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server
Click Next

Click Next

Locate the backup folder using Browse and click Next

migrate-ca-from-windows-2003r2-to-2019-server

Enter the password we used earlier. Click Next.

migrate-ca-from-windows-2003r2-to-2019-server

Click Finish.

migrate-ca-from-windows-2003r2-to-2019-server

Click Yes to the prompt about starting up Active Directory Certificate Services.

migrate-ca-from-windows-2003r2-to-2019-server

This now completes the migration to the intermediate server.

migrate-ca-from-windows-2003r2-to-2019-server

Migrating the CA From the Intermediate Server to the Final Destination Server

The preceding steps will need to be repeated to migrate from the intermediate server to the final destination server.

I will only show a brief outline of this last phase in this tutorial, because aside from the GUI differences between 2003R2 and 2012R2, the steps are the same.

Backup the CA on the Intermediate Server

We need to backup the CA database and export the CA registry key. Then we uninstall the CA role.

Backup the CA Certificate and Certificate Database

Backup the CA Certificate and Certificate Database

migrate-ca-from-windows-2003r2-to-2019-server
Export CA Registry Key

Export CA Registry Key

Uninstall the CA on the Intermediate Server

You need to uninstall the Certificate Authority Web Enrollment role service first.

After that has been uninstalled, you can then proceed to uninstall the Certification Authority role service.

migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server
migrate-ca-from-windows-2003r2-to-2019-server

On the Final Destination Server

Follow Steps 1 to 8 from the Summary section for actions to perform on the destination server. Use the screen shots in the previous steps that were performed on the intermediate server as the GUI for the Add Server roles are close to being identical between 2012R2 and 2019.

Conclusion

The migration steps are straightforward. However, there is one GOTCHA that is there every time I have done one of these.

GOTCHAS

There is one gotcha that I have not seen in other articles about migrating root CAs, yet is there on all the occasions that I have done the CA migrations.

Most CA installations use the default settings during installation. This means that the CRL URL are pointing to the server name that the CA was installed to. When you migrate to the new server, any newly issued certificates will have the new CRL URL location, which points to the new server.

However, existing certificates, while valid, will still be looking at the old CRL URL to obtain the certificate revocation list.

After migration, any services that use a certificate will still function even if you haven't re-issued a new certificate to the device or service. However, after about a week, the certificate revocation list will be stale, and a service is usually configured to not use a certificate if it can't access or retrieve an updated certificate revocation list. This usually means the service will stop working.

You got two options in this situation. Re-issue a new certificate to the device or service, or set up the CA so that it publishes the certificate revocation list to the original CRL URLs as well.

Another gotcha I saw a few times is that any new templates you create do not get published, so you are not able to issue a new certificate template.

I had to Google this issue, and it was the flags attribute was no longer set to 10 for the following AD object CN=Enrollment Services, CN=Public Key Services, CN=Services, CN=Configuration,DC=<domainname>.

You can use ADSI Edit to modify the above flags setting.

This content is accurate and true to the best of the author’s knowledge and is not meant to substitute for formal and individualized advice from a qualified professional.

© 2021 sengstar2005

Related Articles