![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 10%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
20,213 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello J Moat,
Thank you for posting in Q&A forum.
Is your two-tier PKI Infrastructure an offline standalone root CA (in one workgroup) and an online enterprise issuing CA (in your domain)? If so, you can migrate it based on the steps below:
For migrating root CA:
1.Check the PKI health, open PKIview.msc to check.
2.Back up root CA data (certificate authority database and its configuration, CA Registry Settings) as in the link below.
3.Uninstall CA Service from old root CA.
4.Install Windows Server 2022 Certificate Services on new root CA server that in workgroup (this new root CA machine name can be different as old root CA server name).
5.Configure AD CS on new root CA server.
6.Restore root CA Backup on new root CA server.
7.Restore Registry info on new root CA server.
For migrating issuing CA:
1.Check the PKI health, open PKIview.msc to check.
2.Back up issuing CA data (certificate authority database and its configuration, CA Registry Settings) as in the link below.
3.Uninstall CA Service from old issuing CA.
4.Install Windows Server 2022 Certificate Services on new issuing CA server that in domain (this new issuing CA machine name can be different as old issuing CA server name).
5.Configure AD CS on new issuing CA server.
6.Restore issuing CA Backup on new issuing CA server.
7.Restore Registry info on new issuing CA server.
8.Reissue Certificate Templates.
For the migration steps, you can refer to steps below (similar steps as From Windows Server 2012 R2 to 2022)
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
Now, since the Root CA Certificate will be expiring, I assume we then need to do Renew CA Certificate but do not generate a new public and private key pair (Renewal with existing key pair).
A: Yes, you can migrate the two-tier PKI first and if the migration is successfully, then you can renew CA certificate before it expires.
If you want to renew CA certificate with the existing public and private key pair, you can select "No" option below before clicking OK button.
Considerations for migrating a CA to a new machine:
- When migrating a CA, the computer name of the target computer may be different from the computer name of the source computer, but the CA name must keep the same.
- By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.
- During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.
For CAservername, you can name it after this server is installed the operating system.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.