migrate to Azure AD a server that has the CA service (Certification Authority )

@Raul Guchinife Thank you for reaching out to us, As I understand you are looking for steps/approach to migrate Domain controller+Certificate authority ( currently on the same server ) to Azure.

As per my knowledge, having Certificate authority role on a domain controller is not recommended, With this approach you cannot remove Active Directory (in the event you want to decommission a DC for
example) without first removing certificate authority role (AD CS) from that DC.

Would suggest to have a different server for Domain controller & CA role. Coming to the migration approach for CA role, refer to these steps in this article: https://jackwesleyroper.medium.com/migrating-the-ad-certificate-authority-service-server-role-from-2012-r2-to-2019-template-57061c3e7728 (approach is the same whether it is on-premise or Azure)

You can refer to this https://social.technet.microsoft.com/Forums/windowsserver/en-US/66cd9712-b44a-406b-b77f-07ee945bf80f/certificate-services-install-on-domain-controller?forum=winserversecurity about the best practices for CA role.

We also have Azure AD Certificate based authentication functionality as well - https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication would request you to go through Supported scenarios/Unsupported scenarios, if it meets your approach what your on-premise CA is doing, then you can implement this service.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.