How to Replace Your Windows Certificate Authority Server Without Downtime

Servers running your Windows certificate authority (CA) can seem like a scary thing to have to replace. If the certificates get messed up or set up incorrectly, that could mean that they must be reissued, which would be very difficult. It’s actually not hard to move the CA to a new server.

This blog post will go step-by-step through the process of moving a Windows-based CA to a new server. You can use this to move the CA to a newer operating system, or just to a new server.

If your CA has a root and subordinate(s), you should start with the root first and work your way down from there. I recommend moving them one-at-a-time over the course of several days or weeks. This allows the environment to settle any issues with the move to surface prior to moving to the next CA. This process works for moving the root and subordinates with no modification.

Note that for this process, the old server and new server must have the same computer name. When your new server is built, give it a temporary name and we, as professional service providers, will change it as part of the process.

Linking it to your AD domain prior to doing these steps is optional. You can link it to the domain as part of the rename.

NOTE: Do not pre-install the ADCS roles on the new server. This will make your PKI environment unstable if done prior to removing the roles from the existing server.

Securely Back Up Your Existing Certificate Authority

The first step is to back up your existing CA.

1. Log in to your existing Certificate Authority server and launch the Certification Authority MMC snap-in.
2. Expand the CA and click the Certificate Templates folder.

3. Screenshot or otherwise note the certificate templates in the right pane. You’ll need this later to re-publish the certificate templates. If you’re in a certificate hierarchy and moving the root, you may only have one template here (the subordinate template).

4. In the left pane, right-click your CA. Select All Tasks, then Back up CA.

5. Click Next, then check the boxes for Private key and CA certificate and Certificate database and certificate database log. Browse and select an empty directory to store the backup. Click Next.

6. Type in a password to protect the certificate’s private key. You’ll need this later.
7. Click Next, then Finish.
8. Launch RegEdit.
9. Backup/Export this key, saving it in the folder specified in step 5: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.
10. Copy the backup folder from step 5 to a location that is accessible by the new server. This should be a network share or some storage that is not local to the existing CA server.

Uninstalling Certificate Authority Roles from the Existing Server – A Critical Step

Now we need to uninstall the CA roles from the existing server. This is very important, as this also removes some objects from Active Directory. You must remove these roles before proceeding to the section.

1. Launch Server Manager and uninstall the ADCS roles from the existing server.
2. Shut down the existing server or otherwise disconnect it from the network.

Effortlessly Restore and Configure Your New Certificate Authority Server

Now we can install the CA on the new server.

1. Rename the new server to the name of the old server and restart.
2. If your new server has a different IP as your old server, you may have to clear the old DNS record and re-register it. Check this before proceeding.
3. Copy the backup folder created in the first section to the new server, or make sure it’s accessible on your network.
4. Launch Server Manager and install the ADCS roles.
5. Once the roles have installed, click Configure Active Directory Certificate Services on the destination server.
6. Click Next, check the box for Certification Authority, and click Next.
7. Select whether this is an Enterprise CA or Standalone CA. This should match the choice from the previous server. Click Next.
8. Select whether this is the Root CA or a Subordinate CA and click Next.
9. Select Use existing private key and make sure Select a certificate and use its associated private key is selected. Click Next.
10. Click Import. Browse to the certificate file located at the root of the backup folder. Type the password used when backing up the CA in section 1. Click OK.
11. Click the certificate in the Certificates box and click Next.

12. Leave the defaults for Specify the database locations and click Next.
13. Review the confirmation screen and click Configure.
14. Click Close to exit the wizard.
15. Exit Server Manager.

The Restoration and Configuration of Your Certification Authority Database Begins

1. Stop the Active Directory Certificate Services service.
2. Launch the Certification Authority MMC snap-in.
3. In the left pane, right-click your CA. Select All Tasks, then Restore CA.

4. Click Next.
5. Check the boxes for Private key and CA certificate and Certificate database and certificate database log. Browse to the backup folder. Click Next.

6. Type the password used when backing up the CA. Click Next.
7. Click Finish.
8. When prompted asking if you want to start Active Directory Certificate Services, click No.

9. Navigate to your backup folder and import the registry file that you exported as part of the Backup section.
10. Start the Active Directory Certificate Services service.

Finally, the non-default certificate templates that were previously published need to be re-published. These are actually stored in AD, so it’s just a matter of publishing them again.

1. From the Certification Authority MMC snap-in, right-click on Certificate Templates, expand New, and select Certificate Template to Issue.

2. Select the certificate template and click OK.

Optionally, you can deploy the certificate template using PowerShell with this command:

Add-CATemplate -Name “<name of certificate>”

Note the name of the certificate is the Template name, not the template display name:

Example: 

Add-CATemplate -Name “WebServer-1yr”

Final Thoughts

Hopefully this blog post can help you migrate your CA servers to new servers. It’s not as difficult or scary as you might think. If you need assistance with this topic, please contact WME and reference this blog post. 

Disclaimer

All content provided on this blog is for information purposes only. Windows Management Experts, Inc. makes no representation of the accuracy or completeness of any information on this site. Windows Management Experts, Inc. will not be liable for any errors or omissions in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants if you need further assistance.

Why Trust WME for Windows CA Migration Services?

At Windows Management Experts (WME), we specialize in helping organizations with seamless migration and replacing of Windows Certificate Authority (CA) servers.

We use proven methodologies to ensure your CA migration is secure and fulfils your goals. No matter if you are upgrading to new server or restructuring the PKI, we ensure a smooth replacement with minimum downtime.

Windows Management Experts

Now A Microsoft Solutions Partner for:

✓ Data & AI

✓ Digital and App Innovation

✓ Infrastructure

✓ Security

The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.

Contact us: sales@winmgmtexperts.com