Share via

OS upgrade for root CA & Sub CA

Pradeep Raju 1 Reputation point
2022-11-05T13:23:49.167+00:00

I have one root CA & one subordinate CA in my infra which needs to be migrated from Windows 2016 to 2019.

Im aware CA name is different from server name. I hope simply back up and restore CA into new server with new name & IP should work.

But my concern is either to proceed Root CA first or Sub CA first. Can someone clarify?

Windows for business | Windows Server | Devices and deployment | Configure application groups

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-11-07T03:39:56.7+00:00

    Hello PradeepRaju-0512,

    Thank you for posting in our Q&A forum.

    I think we should migrate the root CA and then sub CA, as the sequence we setup the two-tier PKI.

    Some tips for your references before migrating CA or during the CA migration.

    1.Please ensure the PKI is healthy before CA migration.

    2.The CA name must not be changed as part of the migration. This means the new target CA must have the old CA's name, even if part of that name is the old CA's host name.

    3.During the installation process, we must choose to use the CA's existing certificate and private key instead of creating a new CA certificate and key.

    4.By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions, including the CA machine host name in the path. This means that any certificate issued by the CA prior to migration may contain a certificate verification path that contains the old host name. These paths may no longer be valid after migration. To avoid revocation checking errors, the new CA must be configured to publish the CRL to the old (pre-migration) path as well as the new path.

    5.Each of the CA migration steps contains a lot of operations, please test it in the test environment first, so as to avoid problems in the production environment, or it can be better solved. If there are no problems in the test environment, you can operate in a production environment.

    References.
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee126140(v=ws.10)#BKMK_GrantPermsAIA

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ===============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments
  2. JimmySalian-2011 42,511 Reputation points
    2022-11-05T13:57:17.21+00:00

    Hi,

    It has to be RootCA first and following the successful migration/upgrade you can restore SUBCA to the new server and re-ip as per the requirements, make sure the backups are full and snapshots taken before you proceed Pradeep. migrate-root-ca-to-a-new-server

    Goodluck.

    Hope this helps.
    JS

    ==
    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments
  3. Pradeep Raju 1 Reputation point
    2022-11-10T09:10:45.373+00:00

    Daisy, thanks for the response. The migration plan is postponed. Once i get a chance to migrate, i keep you posted.

    Really appreciate you for inputs and followups.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.