Hello @matteu31 ,
Thank you for posting here.
As I understand, you have one-tier PKI, you want to do the changes below:
1) migrate CSP to KSP on my 2008r2 server
2) Migration SHA1 -> SHA 2
3) Migrate to 2019 server
Please check how many root CA certs do you have? Right click CA and select Properties and check General tab.
Check if you can export the private key of these root CA certs?
If you can not export the private key of the root CA certs, you will not do the migrations baove.
Then I suggest we can rebuild a new PKI on Windows server 2019 with KSP and SHA2.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou