How to Move AD Certificate Authority Role to Another Server

Hits: 984

Step 1: Backup CA database and its configuration

Go to Start > Administrative Tools > Certificate Authority Right Click on Server Node > All Tasks > Backup CA 

 

 

Select both checkboxes

 

Enter a Password for Private Key and CA certificate file

 

Complete the wizard

Step 2: Backup CA Registry Settings

Run > type regedit and click OK

Expand the key in following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

Right click on the Configuration key and click Export and Save.

 

 

 

Step 3: Uninstall CA Service From the Old Server

Server Manager> Local Server > Scroll Down and Find Roles and Features > Select Task > Remove Roles and Features and Untick Active Directory Certificate Services > Click Next > Complete the wizard.

After the the uninstallation Reboot the server.

 

Step 4: Install CA Role on the New Server

 Start Server Manager > Add Roles and Feature > Next > Next> Select Active Directory Certificate Services> Next > Select > Certification Authority > Complete the Wizard. 

 

 

Step 5: CA Post Deployment Configuration

On Server Manager, we can see a pending configuration for CA. Click Configure...

 

Select Certification Authority

 

 

Select Enterprise CA

 

 

Choose Root CA

 

 

Choose Use existing private key

 

 

Click Import

 

 

Browse the private key file and enter its password

 

 

Click Next

 

 

Click the Configure button

 

 

 

 

 

 

Step 6: Restore CA Configuration and Registry

Start Certification Authority Console > Right click server > All Tasks > Stop Service

 

 

 

 Right click server > All Tasks > Choose Restore CA

 

 

Private Key and Database folder must be in a folder (CABackup), Browse to that folder and cclick Next

 

Enter private key password

 

Complete the wizard

 

Select No. Because we need to modify and merge the registry backup file.

 

 

Right click the registry file and select merge

 

 

Now we can start the CA Service. The CA configuration will retain the CA name of the former server because of the restore

 

Finally We need to re-issue the certificates we had in the old server. Right Clixk certificate templates > New > Certificate Template To Issue> Select the certificates you need to use