Migrate ADCS
In Best practice, it is important to have an offline root certificate authority and an Subordinate certificate authority that distributes certificates. We will look at how to migrate these two server (Windows Server 2012 R2 servers to Windows Server 2019).
Migrate Root CA
The root certificate authority is an important server in a public key infrastructure. It is used to sign the certificate of the Subordinate Certification Authority so that the Subordinate CA can in turn issue certificates to servers or workstations. Note that the Root CA is a member of a workgroup and not an AD domain.
Backup Certification Authority
From the root server, go to the Server Manager console and click on Tools. Click on Certification Authority for open ADCS console.
Right Click on the root CA and then in the context menu select All Tasks then Back up CA.
A wizard appear, click on Next.
Select the Private Key and CA Certificate and Certificate Database and certification database log options and specify the destination folder.
Enter the desired password and click on Next.
Click on Finish for begin backup.
Backup Registry Key
The registry key must be bacjup ed for migrate server. From the Root Certification Authority, open registry editor and access to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc.
Right click on CertSvc then click on Export.
Backup the file on the desired folder.
Since the source server is not a member of the AD domain, there is no need to delete the ADCS role. Nevertheless the VM must be switched off, after the migration it will be permanently deleted. Copy the préviously created file on the new root CA server and switched off the VM.
Configure a new root server
From the Server Manager console, rename the server so that it has the name of the old root certification authority.
Click on Add Roles and Features to install the role.
Check Active Directory Certificate Service and click on Next.
Check Certificate Authority and Certification Authority Web Enrollment.
There is no need to modify the IIS role services. Click Install to proceed with the role installation.
A new notification appear on Server Manager console, click on Configure Active Directory Certificate Services.
A new wizard appear, click on Next.
Check the two options previously installed then click on Next.
Check Standalone CA and click on Next.
Select Root CA and click on Next.
It is very important to select the private key of the former root certification authority. Do not create a new private key. Check Use existing private key then Select a certificate and use it’s associated private key.
Click on Import to select certificate.
Clcik on Browse and select the certificate. The certificate is present in the folder that contains the backup. As a reminder, this folder was previously copied to the new root server.
Enter the password configured at the time of backup and click on OK.
The certificate has been selected. Select the certificate and click on Next.
Click on Configure to proceed to configuration.
Click on Close. The Root Certification Authority is now been configured.
Restore Root Certification Authority
From the Certification Authority console, right click on the Root Certification Authority then click on Restore CA.
A new message appear, click on OK.
A wizard appear, click on Next.
Check Private key and CA certificate and Certificate database and certificate database log option. With Browse button, select the folder previously copied on the server.
Enter the password configured during the backup of the old root certification authority.
Click on Finish. Click on Yes for start Active Directory Certificate Services.
The restoration was well done. You can see the certificates issued before the migration.
Right click on the previously generated reg file and click on Merge.
A warning message appears, click on Yes.
Click on OK. The registry has been merged.
Migrate Subordinate CA
Before proceeding with the migration of the Subordinate certification authority, it is necessary to list the available models. After the migration, these templates will have to be added.
Backup Certification Authority
From the Certification Authority, right click on your Subordinate Certification Authority and click on Backup CA.
A new wizard appear, click on Next.
Check Private key and CA certificate option and Certificate database and certificate database log option. With Browse button, select Back up location.
Enter the desired password and click on Next.
Click on Finish. Backup was done.
Backup Registry Key
Registry key must be exported. Open Registry Editor and access to CertSVC Key present in HKLM\SYSTEM\CurrentControlSet\Services\CertSvc.
Right click on CertSvc and click on Export.
Select the destination folder and enter the name of the Reg File.
Remove ADCS Roles
Before being able to configure the new server, it is first necessary to delete the role on the old server. From the Server Manager console, click on Manage then on Remove Roles and Features.
Expand Active Directory Certificate Services then uncheck Certification Authority Web Enrollment.
Click twice on Next and then proceed to delete the role. Click on Close then repat the same operations for Active Directory Certificate Services roles.
When the roles has been deleted, copy the folder and file previously generated on the new server. The old server can be switched off.
Configure a new Subordinate server
The new Subordinate server can now be installed. From the Server Manager console, rename the new server so that it has the name of the old server.
The new Subordinate server can now be installed. From the Server Manager role, click on Add roles and features.
Check Active Directory Certificate Services then click on Next.
On the Role Services Windows, check Certification Authority Web Enrollment then click on Next.
Leave the IIS role services as default and proceed with the installation. A notification appear on Server Manager console. Click on Configure Active Directory Certificate Services.
Check Certification Authority and Certification Authority Web Enrollment Role sercice then click on Next.
Select Enterprise CA on Setup Type windows.
Select Subordinate CA then click on Next.
In any case, the new private key must not be created, otherwise all issued certificates will be invalid. Select Use existing private key and Select a certificate and use it’s associated private key. Click on Next.
Click on Import to select the certificate previously backup ed.
Click on Browse and select the certificate. Enter the password configured during the backup.
Select the certificate and click on Next.
Leave the default paths in Certificate Database and proceed with the role configuration.
Restore Root Certification Authority
From the Certification Authority, right click on the Subordinate Certificattion Authority and click on All Tasks / Restore CA.
Check Private key and CA Certificate then Certificate Database and certificate database log. With Browse button select the folder préviously generated during the backup.
Enter the backup and click on Next.
Click on Finish. Backup has been restored. A windows appear, click on Yes to start the service.
If you have this error message, you must copy the revocation list of the root server (crt and crl file) on the CertEnroll folder of the Subordinate CA.
On Root Server rename the crl and crt file and copy on CertEnroll folder in the Subordinate Server.mc
On root CA
On Subordinate CA
You can now start the service.
Right click on the reg file and click on Merge.
Click on Yes then on OK. Right click on Certificate Template then click on New / Certificate Template to issue.
Select the desired template then click on OK.
The server is now been migrated.