Share via

ADCS | Migrate CSP to KSP issue

SenhorDolas 1,321 Reputation points
2025-03-18T18:04:51.8133333+00:00

Hi

We have a W2K19 server running AD Certificate Authority still on CSP (due to OS upgrade of old VM)

The root cert has been renewed without renewing the key for years!!!!!

I need to make this CA KSP so I can issue a root cert as SHA-256.

When following guides like https://www.petenetlive.com/KB/Article/0001243 I get an error on backup CA: windows cannot backup one or more private keys because the csp does not support key export

I have found a solution about dashes on a key reg but this did not work.

I get the cert backed up but no key icon on it.

This makes me very nervous about continuing with the migration.

Is there a way out of this?

Alternatively can I issue a new root cert with a new key?

Will this key invalidate the current key (that has been renewed for years)? And can I have both certs on at the same time?

Thanks, M

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
4,044 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 32,421 Reputation points Microsoft External Staff
    2025-03-19T06:07:23+00:00

    Hello SenhorDolas,
    Thank you for posting in Q&A forum.

    Based on the description, as I understand, you have one-tier PKI, do you mean you cannot back up CA when you run Certification Authority Backup Wizard?

    User's image User's image

    If so, you can try to check whether you can export CA root certificate with its private key(below).

    Open Certilm.msc and find the root CA certificate, right click this root CA certificate and select All Tasks\Export.User's image

    Here is a similar thread with the shared steps, you can try if it is helpful to you.

    User's image

    migration csp to ksp

    https://learn.microsoft.com/en-us/answers/questions/305322/migration-csp-to-ksp

    References

    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019

    https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-migrating-the-active-directory-certificate-service-from-windows-ser/697674

    How to move a certification authority to another server

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/move-certification-authority-to-another-server

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. SenhorDolas 1,321 Reputation points
    2025-03-19T10:24:42.6533333+00:00

    @Daisy Zhou ,This is the error I get when doing the CA backup:

    User's image

    The backup only contains the certificate only (there is no key icon) and I cannot import that same certificate and export the key after.

    As such I think I wont be able to perform the migration to KSP as the key is required.

    This is the export wizard, I don't have the export option:

    User's image

    Thanks, M

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.