Move Windows Certificate Authority to another server
In this post I will show how to move Windows Certificate Authority role to another Server.
Backup the current Root CA
Open the Certification Authority manager.
Right click the name of the CA and select All Tasks > Back up CA.
The Certification Authority Backup Wizard opens. Click Next.
Select both Private key and CA certificate and Certificate database and certificate database log options. Click Browse and select a backup location then click Next.
Enter a Password to gain access to the private key and click Next.
Backup the CA registry key
Now run the regedit command to export the registry key.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration, right click the Root CA name and select Export.
Select the path to store the file, specify the File name and click Save.
Remove the CA role
The CA role must be removed from the server to dismiss.
From the Server Manager select Manage > Remove Roles and Features option and Click Next.
Choose Select a server from the server pool and click Next. Untick the Certification Authority role and Next.
Click Remove Features.
The Certification Authority role has been removed from the current server. Click Next.
Select Restart the destination server automatically if required and click Remove.
Install the CA role on the new server
In the new server, open the Server Manager and click Add roles and features.
Select Role-based or feature-based installation option and click Next.
Choose Select a server from the server pool, select the server and click Next. Then select the Active Directory Certificate Services role and Click Add Features when prompted. Then click Next to install the role.
Click Next to install selected services.
Accept default role services and click Next. Select Restart the destination server automatically if required and click Install.
When the installation process starts, you can click Close.
Configure the new CA
When the installation procedure completes, from the Server Manager click the yellow exclamation mark and click on the link Configure Active Directory Certificate Services on the destination server.
Make sure to use an account withEnterprise Administrator permissions. Click Next.
Select the two role services and click Next.
Select Enterprise CA as CA type and click Next.
Select Use existing private key and choose Select a certificate and use its associated private key. Click Next.
Click Import. Click Browse and select the certificate exported from the old CA and enter the Password. Click OK.
Select the imported certificate and click Next. Leave default locations and click Next.
Click Close when the configuration completes successfully.
Import the registry key
Last step is the import of the registry key previously exported from the old CA.
Before importing the registry key we need to change the name server with the new one. Right click the registry key file (ca_config.reg in the example) and select Edit.
Locate the CAServerName entry and change the name with the current server name and save the file.
Now open the Command Prompt and stop the ca service with the command:
net stop certsvc
Double click on the registry file to import the settings. Click Yes to confirm the import.
Click OK when values have been added successfully.
Restore the database
Open the Certification Authority manager and right click the CA name and select All Taks > Restore CA.
The Certification Authority Restore Wizard opens. Click Next.
Select both Private key and CA certificate and Certificate database and certificate database log options. Click Browse and select the location where the database is located then click Next.
Enter the Password to gain access to the private key and click Next then click Finish to restore the database.
Click Yes on the pop-up window to start Active Directory Certificate Services.
What About Certificate Templates? Do I need to Move Them?
No! Certificate templates are actually stored in Active Directory, NOT in/on the actual Certificate Services server, (that’s why sometimes they take a while to appear after you create them!)
