This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 43%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
i have PKI which 2012R2 , and Ent CA key is also going to expire, Root CA still have 10 years
i wish to follow a industry standard for upgrade windows to 2019, and renew the CA cert,
i wonder any microsoft recommandation for upgrade and renew
should i moving the existing root CA cert , and renew ent CA cert,
or just renew Root CA and Ent CA cert, ]
i want a documentation or article for supporting
thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello @Ming Cheung ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @Ming Cheung ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Answer accepted by question author
You can do this in any order: renew first than migrate, or migrate first and then renew. For migration guide you can follow official ADCS migration guide: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11)
thank you for the help
i did research the procedure and steps, but i need to follow a standard,
like how digicert, GlobalSign renew their Root cert? i want to follow the biggest company standard
but it is hard to know their standard,
or even microsoft's article for description of best practice, it is ok also
any document for talking about this?
but i need to follow a standard
there is no such standard.
like how digicert, GlobalSign renew their Root cert?
they do not renew. They deploy a new CA when existing is about to expire. They do cross-certification tricks to allow the trust to new root for transition period, but they do not support CA certificate renewal like ADCS does.
The only thing you should keep in mind here -- renew only with new key pair. Never reuse it.
thank you Crypt32
good advice, and any article about this can be found? reference from?
since my boss may ask the reference
I don't think there is any official recommendation. What I'm suggesting here -- came from my personal experience in building and maintaining various PKIs.
Hello @Ming Cheung ,
Thank you for your update.
We suggest renewal with new key pair.
For the difference between renewal with existing key pair and renewal with new key pair, you can refer to link below.
Root CA certificate renewal
https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx
We can backup 2012 R2 and recover cert to 2019, and then renew with new key.
Or renew with new key, and then backup 2012 R2 and recover cert to 2019.
For migrate CA from 2012 R2 to 2019, we can refer to steps below (similar steps).
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo
Considerations for migrating a CA to a new machine:
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Tip: Each of the above small steps contains a lot of operations.
It is recommended that you set up a similar CA environment in the test environment, and perform migration and renew operations in the test environment, and then record all these steps in a document, and write down the key points and precautions.
If there are no problems, follow the similar the steps in the production environment, so that even if you encounter any problems in the production environment, you should be able to troubleshoot or solve them well.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi Daisy
thank you for the detail explanation and advice, after I deeply consideration, I still have some wondering
[ We can backup 2012 R2 and recover cert to 2019, and then renew with new key.
Or renew with new key, and then backup 2012 R2 and recover cert to 2019. ]
if renew with new key, why need backup and recover? why not just build up a new 2019 with new key?
is it only for keeping these expired cert?
continues
[ Uninstalling the source CA deletes objects from AD DS. If the target CA is a stand-alone CA, then these objects are no longer required. However, if the target CA is an enterprise CA, then it is important to uninstall the source CA before you install the target CA. This ensures the required objects are added to AD DS.]
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN
I checked the description at this link, it said it have to uninstall old CA, and then install the new CA if migration of existing key
I wonder is it possible just shutdown the old CA, and install a new CA, in case any happened, I can just power up the old CA for keeping services?
I wonder is it possible to run old and new 2019 with same CA key simultaneously ? any impact?
thank you so much
Hello @Ming Cheung ,
Thank you for posting here.
Hope the information provided by Crypt32 is helpful.
After my research, here are two articles for your references.
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo
Renew Issuing/Subordinate CA Certificate
https://www.risual.com/2014/05/renew-issuingsubordinate-ca-certificate/
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Best Regards,
Daisy Zhou
thank you for the help
but i want to identify what strategy ? what is the industry standard? best practice?
i wonder which one is a industry standard
