Need to Migrate or In-Place Upgrade Server 2012 Certificate Authorities. Have questions about the best way to do this with lowest risk and impact

Question

Our Current CA setup is the following: In 2017 we built a new CA servers - Offline Root and Intermediate Issue CA to move to SHA2

1. Pre 2017 - TCROOTCA - Older SHA1 Offline Root CA on Server 2012 R2 Standard -joined to our AD domain. Not been used for 6+ years. CA service disabled and all Cert templates removed. Still registered in the domain
2. New in 2017 - TCROOTCA1 - Offline Root running on Server 2012 R2 Core - not joined to our AD domain - Standalone - only used to issue Issue CA certificate - CA service only started every 6 months to update its CRL manually or to issue a Issue CA cert every 10 yrs.
3. New in 2017 - TCSUBCA1 - Intermediate Issue CA running on Server 2012 R2 Standard - joined to our AD domain. This server is issuing certificates and managing all of our current certificate templates and has one of our AIA locations.

We do have critical certificates that if the CRL is down or corrupt or new computers or ones that need to renew would see impact.

Examples are for wireless, remote connections, internal websites

Questions:

In reading I read an article that doing an in-place upgrade of the existing Cert Authorities from Server 2012 is not supported going to Server 2022. That would involve two in-place upgrades 1st to 2019 then to 2022. https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-overview  Read that could do single in-place to Server 2025 but not an option at this time.

1. Is that true that not supported if running a CA to do an in-place upgrade from 2012 to 2022?
2. Would it be recommended to do a migration vs in-place upgrade [if needed to do multiple upgrades] if want to do the lowest risk and least impact?
3. I would like to fully remove : TCROOTCA - Older SHA1 Offline Root CA on Server 2012 R2 Standard -joined to our AD domain prior to upgrading or migrating our current CA servers.

Is there a guide or steps need to follow to ensure this is cleanly and completely removed from the domain?

4. I do not see how this would affect our current CA servers as it is a separate CA environment [we build a new parallel build for SHA2] . Only sharing the same domain as our current issue CA.

Any impact I am missing if removing this old Offline root is removed from the domain?

Appreciate any help and feedback

Answer 1

Hello,

Thank you for posting question on Microsoft Windows forum!

The followings are the plausible explanation to address your below queries.

1.Is that true that not supported if running a CA to do an in-place upgrade from 2012 to 2022?

• Yes! Actually, Microsoft generally does not support a direct in-place upgrade of a Windows Server operating system across multiple versions, especially for critical roles like a Certification Authority.
• The common guidance is that if you're on Server 2012 R2 and want to go to Server 2022, you would typically need to perform a two-step in-place upgrade: first to Server 2016 or 2019, and then to Server 2022. Even with this, an in-place upgrade for a CA is often strongly discouraged due to the potential for issues that can severely impact your PKI.

2.Would it be recommended to do a migration vs in-place upgrade [if needed to do multiple upgrades] if want to do the lowest risk and least impact?

For critical systems such as your CA servers, performing a migration instead of an in-place upgrade is highly recommended. The followings are the reasons for that.

• Lowest Risk: A migration involves building new servers with the desired operating system (Server 2022 in your case), installing the CA role, and then migrating the CA database and configuration. This provides a "clean slate" and minimizes the risk of carrying over underlying OS issues or compatibility problems from the older server. If something goes wrong with the migration, your original CA servers remain intact and functioning, allowing for a fallback.
• Least Impact: While a migration requires careful planning and execution, it often allows for a more controlled cutover with less unexpected downtime. You can test the new CA thoroughly before making it live. In-place upgrades, especially multi-step ones, have a higher chance of encountering unforeseen issues that can lead to extended outages.
• Clean Environment: Migrating lets you ensure that any legacy or legacy-inherited misconfigurations are not carried forward. Instead, you start afresh with Microsoft’s current best practices for PKI implementation.
• Disaster Recovery: A migration process forces you to thoroughly document your CA configuration and backup/restore procedures, which improves your overall disaster recovery posture.

Regarding the remaining questions, you can refer to the following articles which might address your concerns in details.

• https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-migrating-the-active-directory-certificate-service-from-windows-ser/697674
• https://techcommunity.microsoft.com/discussions/windowsserver/microsoft-recommendation-on-upgrade-path-from-2012r2-to-2022/3275420
• https://learn.microsoft.com/en-us/answers/questions/1356060/migrate-single-windows-server-2012-r2-ca-server-to
• https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/decommission-enterprise-certification-authority-and-remove-objects
• https://4sysops.com/archives/remove-an-old-windows-certificate-authority/

Hope the above information is helpful!