How to Replace Your Windows Certificate Authority Server Without Downtime
Servers running your Windows certificate authority (CA) can seem like a scary thing to have to replace. If the certificates get messed up or set up incorrectly, that could mean that they must be reissued, which would be very difficult. It’s actually not hard to move the CA to a new server.
This blog post will go step-by-step through the process of moving a Windows-based CA to a new server. You can use this to move the CA to a newer operating system, or just to a new server.
If your CA has a root and subordinate(s), you should start with the root first and work your way down from there. I recommend moving them one-at-a-time over the course of several days or weeks. This allows the environment to settle any issues with the move to surface prior to moving to the next CA. This process works for moving the root and subordinates with no modification.
Note that for this process, the old server and new server must have the same computer name. When your new server is built, give it a temporary name and we, as professional service providers, will change it as part of the process.
Linking it to your AD domain prior to doing these steps is optional. You can link it to the domain as part of the rename.
NOTE: Do not pre-install the ADCS roles on the new server. This will make your PKI environment unstable if done prior to removing the roles from the existing server.
Securely Back Up Your Existing Certificate Authority
The first step is to back up your existing CA.
3. Screenshot or otherwise note the certificate templates in the right pane. You’ll need this later to re-publish the certificate templates. If you’re in a certificate hierarchy and moving the root, you may only have one template here (the subordinate template).
Recommended by LinkedIn
4. In the left pane, right-click your CA. Select All Tasks, then Back up CA.
5. Click Next, then check the boxes for Private key and CA certificate and Certificate database and certificate database log. Browse and select an empty directory to store the backup. Click Next.
6. Type in a password to protect the certificate’s private key. You’ll need this later.
7. Click Next, then Finish.
8. Launch RegEdit.
9. Backup/Export this key, saving it in the folder specified in step 5: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.
10. Copy the backup folder from step 5 to a location that is accessible by the new server. This should be a network share or some storage that is not local to the existing CA server.