Move Windows Certificate Authority to another server
In this post I will show how to move Windows Certificate Authority role to another Server.
Backup the current Root CA
Open the Certification Authority manager.
Right click the name of the CA and select All Tasks > Back up CA
.
The Certification Authority Backup Wizard
opens. Click Next
.
Select both Private key and CA certificate
and Certificate database and certificate database log
options. Click Browse
and select a backup location then click Next
.
Enter a Password
to gain access to the private key and click Next
.
Backup the CA registry key
Now run the regedit
command to export the registry key.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
, right click the Root CA name
and select Export
.
Select the path to store the file, specify the File name
and click Save
.
Remove the CA role
The CA role must be removed from the server to dismiss.
From the Server Manager
select Manage > Remove Roles and Features
option and Click Next
.
Choose Select a server from the server pool
and click Next
. Untick the Certification Authority
role and Next
.
Click Remove Features
.
The Certification Authority
role has been removed from the current server. Click Next
.
Select Restart the destination server automatically if required
and click Remove
.
Install the CA role on the new server
In the new server, open the Server Manager
and click Add roles and features
.
Select Role-based or feature-based installation
option and click Next
.
Choose Select a server from the server pool
, select the server and click Next
. Then select the Active Directory Certificate Services
role and Click Add Features
when prompted. Then click Next to install the role.
Click Next
to install selected services.
Accept default role services and click Next
. Select Restart the destination server automatically if required
and click Install
.
When the installation process starts, you can click Close
.
Configure the new CA
When the installation procedure completes, from the Server Manager
click the yellow exclamation mark and click on the link Configure Active Directory Certificate Services on the destination server
.
Make sure to use an account withEnterprise Administrator
permissions. Click Next
.
Select the two role services and click Next
.
Select Enterprise CA
as CA type and click Next
.
Select Use existing private key
and choose Select a certificate and use its associated private key
. Click Next
.
Click Import
. Click Browse
and select the certificate exported from the old CA and enter the Password
. Click OK
.
Select the imported certificate and click Next
. Leave default locations and click Next
.
Click Close
when the configuration completes successfully.
Import the registry key
Last step is the import of the registry key previously exported from the old CA.
Before importing the registry key we need to change the name server
with the new one. Right click the registry key file (ca_config.reg in the example) and select Edit
.
Locate the CAServerName
entry and change the name with the current server name and save the file.
Now open the Command Prompt and stop the ca service with the command:
net stop certsvc
Double click on the registry file to import the settings. Click Yes
to confirm the import.
Click OK
when values have been added successfully.
Restore the database
Open the Certification Authority manager
and right click the CA name and select All Taks > Restore CA
.
The Certification Authority Restore Wizard
opens. Click Next
.
Select both Private key and CA certificate
and Certificate database and certificate database log
options. Click Browse
and select the location where the database is located then click Next
.
Enter the Password
to gain access to the private key and click Next
then click Finish
to restore the database.
Click Yes
on the pop-up window to start Active Directory Certificate Services.
What About Certificate Templates? Do I need to Move Them?
No
! Certificate templates are actually stored in Active Directory
, NOT in/on the actual Certificate Services server, (that’s why sometimes they take a while to appear after you create them!)