Migrating CA from 2012R2 to 2019 problem

TonyB 1 Reputation point
2020-11-26T16:49:48.807+00:00

I'm trying to migrate an Enterprise Subordinate CA from a 2012R2 DC to a new 2019 DC. The 2012R2 CA was in itself an upgrade from 2008 R2, and that migration worked without a problem. I'm using the proper documented process, but am experiencing two issues I've never had before. First, when I try and do the backup of the source 2012 CA using the Backup CA method, I first get this message;

Windows cannot backup one or more private keys because the CSP does not support key export. Do you want to continue and back up only the private keys that can be exported?

We do have a number of expired issuing certs on the CA, some of which I've found don't have valid private keys anymore, but I don't think that's the issue (the primary signing cert is valid with a private key). We also have some KRA's we must maintain after the migration. The CSP we use is the standard (default) one and hasn't changed. Do I need to remove the expired certs first before export, and if so, how do you properly remove them from the CA cert list?

If I do proceed with the export though (I'm assuming private keys in the active certs are intact), the export completes. I have a pfx copy of the CA cert, and have taken a copy of the certsrv registry location. I've added the CA + Web Enrollment roles to the 2019 server fine, and then try to complete the restore. The new server has been renamed to the same name as the original one, with the same IP address. After I select Enterprise then Subordinate CA, I'm prompted to select the CA certificate, which I do, but am then immediately prompted with the following message;

The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used

I've rechecked and 100% selected Enterprise and Subordinate CA (same as source). I've tried 2 or 3 source CA backups, and I've inspected the exported pfx file (all ok). Luckily I'm testing this in a virtual lab using copies of the production hosts, but until I can get the process working, I'm stuck. This does not seem to be an uncommon problem - migrating CA's from 2012 to 2016/2019, but I can't find any definitive solution.

Thanks

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Vadims Podāns 9,186 Reputation points MVP
    2020-11-26T17:32:31.863+00:00

    It seems that previous migration wasn't completely successful completely and you didn't backup CA keys since then. You cannot migrate CA to another server without valid backup of all CA keys.

    The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used

    seems PFX contains keys from root CA. This is the only viable reason for this error message. I would double-check what certificates are stored in PFX. For example, by running certutil -dump and specify the path to a PFX file.


  2. TonyB 1 Reputation point
    2020-11-27T09:55:09.037+00:00

    Thanks for the fast reply, I appreciate it.

    I've ran certutil -dump against the p12 exported file, and there are 11 elements listed. Looking more closely, 9 of the elements have the Certificate Template Name (Certificate Type) of SubCA, but two have the type CA. Our root CA is also 2012R2, and generally kept online. The two certs with the type CA have the same root CA issuer and subject, which you're saying could be the problem? I've no idea how or why that has happened, if it's wrong.

    If I look at the Cert Authority app on the SubCA, there are 9 certs listed, all issued from the rootCA to the subCA (so apparently correct), but as I said, 7 of those show as expired. Based on what you're saying then, somehow in the exported p12 file from the SubCA, there are CA certs showing as 2 of the elements. Is there a way to fix that?

    0 comments No comments

  3. Vadims Podāns 9,186 Reputation points MVP
    2020-11-28T09:41:46.967+00:00

    It seems that you have a valid backup of keys in PFX, that's good.

    I would suggest to manually import PFX to Local Machine\Personal store. Allow key export ability in PFX import wizard. Then during CA installation select certificate from store. Select the most recent subordinate CA certificate (with highest CA Version extension value). This should work.

    0 comments No comments

  4. TonyB 1 Reputation point
    2020-12-03T16:23:39.02+00:00

    Sorry for the late reply, just got round to this.

    I imported the p12 cert into the Local Computer personal store on the lab server. I was prompted for the password, and the import completed ok. During the import, I selected 'Mark keys as exportable', which should be the correct option. All the certs (active and expired) then appeared ok in the Personal store.

    Next step was to select the SubCA cert with the longest date and try to export it. During the wizard though, I wasn't prompted to export the private key, it just stepped through until the filename. The option to export as PFX was also greyed out - I could only export it as P7B, which isn't compatible with the CA import wizard. I tried both the manual file selection and existing cert option during the CA setup again - neither worked. Trying to select an existing cert (even though they're now all in the Personal store) jus returned an empty list. Inspecting the P7B file was fine - it showed two certs - one for the SubCA the other the rootCA, both valid and the ones with the longest validity.

    This doesn't make any sense. I've moved CA's between servers before - as long as you follow the correct process, it's always worked without a hitch.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.