I'm trying to migrate an Enterprise Subordinate CA from a 2012R2 DC to a new 2019 DC. The 2012R2 CA was in itself an upgrade from 2008 R2, and that migration worked without a problem. I'm using the proper documented process, but am experiencing two issues I've never had before. First, when I try and do the backup of the source 2012 CA using the Backup CA method, I first get this message;
Windows cannot backup one or more private keys because the CSP does not support key export. Do you want to continue and back up only the private keys that can be exported?
We do have a number of expired issuing certs on the CA, some of which I've found don't have valid private keys anymore, but I don't think that's the issue (the primary signing cert is valid with a private key). We also have some KRA's we must maintain after the migration. The CSP we use is the standard (default) one and hasn't changed. Do I need to remove the expired certs first before export, and if so, how do you properly remove them from the CA cert list?
If I do proceed with the export though (I'm assuming private keys in the active certs are intact), the export completes. I have a pfx copy of the CA cert, and have taken a copy of the certsrv registry location. I've added the CA + Web Enrollment roles to the 2019 server fine, and then try to complete the restore. The new server has been renamed to the same name as the original one, with the same IP address. After I select Enterprise then Subordinate CA, I'm prompted to select the CA certificate, which I do, but am then immediately prompted with the following message;
The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used
I've rechecked and 100% selected Enterprise and Subordinate CA (same as source). I've tried 2 or 3 source CA backups, and I've inspected the exported pfx file (all ok). Luckily I'm testing this in a virtual lab using copies of the production hosts, but until I can get the process working, I'm stuck. This does not seem to be an uncommon problem - migrating CA's from 2012 to 2016/2019, but I can't find any definitive solution.
Thanks