In short, you cannot.
You have to rebuild the CA and reissue all certs
For the migration guidance, refer to https://isinghblog.wordpress.com/2008/06/03/migrating-microsoft-enterprise-root-ca-to-an-offline-root-ca-hierarchy/
hth
Marcin
Can you convert a root CA Enterprise server to a standalone offline root CA?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 39%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AnnaG
166
Reputation points
Hello all,
Can you convert a root CA Enterprise server to a standalone offline root CA or do you have to build another PKI server in parallel and do it that way? If the latter applies, can you provide a quick summary of steps to ensure no outage?
Thanks in advance
Windows for business | Windows Server | User experience | Other
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Marcin Policht
90,315
Reputation points MVP
Volunteer Moderator
2 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,526 Reputation points Moderator2024-03-14T10:37:57.3+00:00 Hi @AnnaG •
Unfortunately it's not possible .You have to rebuild new one and be sure that you recreate from new CA all certificates generated by the old CAR before decommission it. You should start by make a audit to identify all certificates generated by old CA.
Please don't forget to accept helpful answer