Certificate Authority (Root CA) Server Migration from 2012 to 2019

Namless Shelter 231 Reputation points

Hi there,

Please help with this.

Basically, we are running CA service (only CA server running ROOT CA Enterprise) on a server 2012 box. Now we need to move CA to 2019 BOX. I had a look in this article: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Got Four simple questions:

  1. With the new Server 2019, do we need to have the same name with old 2012 server "CS01"? or Any Name will do.
  2. In the last step mentioned from the link above, after restored the old CA, it mentioned "Right click on Certificate Templates Folder > New > Certificate Template to Reissue", what exactly does this do? What if I ignore it?
  3. We are running Aruba Clearpass Wifi Radius System, all of our Windows and Mac machines are using this CA for 802.1x authentication, if the old CA server is taken off for that moment, all devices will not be able to authenticate with Wifi?
  4. On AD, the Old CA server will be taken off, and new CA server will be added automatically to "Cert Publisher" group?

Thanks a lot,

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. Limitless Technology 39,506 Reputation points

    Hello @Namless Shelter

    the answer for the first question is:

    Service migration from 2008 R2 to 2019 but required the new Windows Server 2019 server to have the same name as the previous 2008 R2 server


  2. Namless Shelter 231 Reputation points

    Any Updates people?


    0 comments No comments

  3. cthivierge 4,056 Reputation points
    1. It's not mandatory to have the same server name. You just need to change a registry value before importing the registry key
    2. If the templates are not published after the migration, you have to published them
    3. Well... it depends on few things
      • Your certificate authority is only issuing certificate to clients that are requesting one. Clients with a valid certificate will be able to authenticate
      • You may have a Radius Server in your environment and it's this server that will perform the authentication with AD Servers
      • Does the CDP / AIA published location is accessible to everyone if the server is offline?
      • I don't remember if the new server will be added automatically to the Cert Publisher Group. If it's not added automatically, just add it manually and restart the new
        RootCA Server after.

    Follow this documents for the migration steps... even if it's 2012, it's the same process
    ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v%3Dws.11)


  4. cthivierge 4,056 Reputation points

    The CDP / AIA location is where the CRT / CRL are published. By default, an Enterprise CA will published into AD. But you ma have change this value.

    You can see this value if you open a certificate that has been issued by your CA.

    Look for the 2 settings "Authority Information Access" and "CRL Distribution Point". You should have the location of those files.

    On the CA, those settings are registry values under that registry key
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration[CA Name]"

    As i said, if it's published at the default location (AD), you should be good. Just check that the CRL is valid for long enough to complete the migration.


  5. cthivierge 4,056 Reputation points