Migrating 2012R2 CA to 2019

Question

I am migrating 2012R2 CA to 2019. I use the option to use an existing key. However, the new CA is asking me to send a certificate request to the root CA. I will like to reuse the old cert without issuing a new one. The private key is store on an HSM and I can find the cert and key.

Answer 1

It doesn't matter where the key is stored. Private key alone is not sufficient to migrate CA, you need to have a certificate as well. Make sure if certificate is installed in Local Machine\Personal store (certlm.msc), then make sure that private key is associated with certificate. You can force key association using certutil:

certutil -csp "SafeNet Key Storage Provider" -repairstore my "<CertSerialNumber>"

where <CertSerialNumber> is the cert's serial number. If the command succeeds, then you will see a key icon on top of certificate icon in certificate manager.

Answer 2

You selected wrong option on a first image. It selects only private key without certificate and installer needs to get a certificate through request. You need to select "Select a certificate and use its associated private key" instead.

Answer 3

Hello @Akin ,

Thank you for posting here.

With this being a migration, select Use existing private key and Select a certificate and use its associated private key and click next to continue.

For more information about CA migration, we can refer to the link below.

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 4

Even if the private key is stored on HSM?