Certificate Authority (Root CA) Server Migration from 2012 to 2019

Question

Hi there,

Please help with this.

Basically, we are running CA service (only CA server running ROOT CA Enterprise) on a server 2012 box. Now we need to move CA to 2019 BOX. I had a look in this article: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Got Four simple questions:

1. With the new Server 2019, do we need to have the same name with old 2012 server "CS01"? or Any Name will do.
2. In the last step mentioned from the link above, after restored the old CA, it mentioned "Right click on Certificate Templates Folder > New > Certificate Template to Reissue", what exactly does this do? What if I ignore it?
3. We are running Aruba Clearpass Wifi Radius System, all of our Windows and Mac machines are using this CA for 802.1x authentication, if the old CA server is taken off for that moment, all devices will not be able to authenticate with Wifi?
4. On AD, the Old CA server will be taken off, and new CA server will be added automatically to "Cert Publisher" group?

Thanks a lot,
ML

Answer 1

Hello @Namless Shelter

the answer for the first question is:

Service migration from 2008 R2 to 2019 but required the new Windows Server 2019 server to have the same name as the previous 2008 R2 server

Regards,

Answer 2

Any Updates people?

Thanks
ML

Answer 3

1. It's not mandatory to have the same server name. You just need to change a registry value before importing the registry key
2. If the templates are not published after the migration, you have to published them
3. Well... it depends on few things
   • Your certificate authority is only issuing certificate to clients that are requesting one. Clients with a valid certificate will be able to authenticate
   • You may have a Radius Server in your environment and it's this server that will perform the authentication with AD Servers
   • Does the CDP / AIA published location is accessible to everyone if the server is offline?
   • I don't remember if the new server will be added automatically to the Cert Publisher Group. If it's not added automatically, just add it manually and restart the new
     RootCA Server after.

Follow this documents for the migration steps... even if it's 2012, it's the same process
ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v%3Dws.11)

hth

Answer 4

The CDP / AIA location is where the CRT / CRL are published. By default, an Enterprise CA will published into AD. But you ma have change this value.

You can see this value if you open a certificate that has been issued by your CA.

Look for the 2 settings "Authority Information Access" and "CRL Distribution Point". You should have the location of those files.

On the CA, those settings are registry values under that registry key
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration[CA Name]"
CACertPublicationURLs
CRLPublicationURLs

As i said, if it's published at the default location (AD), you should be good. Just check that the CRL is valid for long enough to complete the migration.

hth

Answer 5

Hi,

There is a documentation on how to decommission an Enterprise CA

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects