This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 17%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi,
We have a Certificate Authority that we would like to migrate. Current OS: Windows Server 2012R2
Would like to migrate the CA to the new VM with Windows Server 2019. But with the export of the CA we have following error: 'Windows cannot back up one or more private keys because the CSP does niet support key export".
The certs are only issued to clients and servers. (Computer (machine), Domain Controller Authentication, Kerberos Authentication)
I see that new clients are getting the certs from the new CA server. Is there a way where we can force the clients with certs from the old CA to renew this so they receive also a new cert from the new CA? Or do we simply need to wait when the old certs are expired?
Would like to know when we can fully uninstall the old cert server.
Thanks in advance!
Are you using autoenrollment to distribute computer certificates?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 80%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIJ%3C/text%3E%3C/svg%3E)
By GPO they have set the following in the Default Domain Policy;
Automatic certificate management - Enabled
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates - Enabled
Update and manage certificates that use certificate templates from Active Directory - Enabled
Automatic Certificate Request:
Computer
Enrollment Agent (Computer)
Hi there,
If clients are using v2 or newer templates, this can be done at the template level. But doing this will trigger all clients to renew early. In the GPO setting where you enabled Auto-Enrollment, did you also check the optional box "Upgrade certificates that use templates"? If so, then in the certtmpl.msc interface, right-click the template you want clients to renew, and select "Reenroll all existing certificate holders".
Make sure the template is only available on the new CA (removed from the old) otherwise the enrollment will randomly choose the CAs to use.
You can also follow the steps as per the thread https://social.technet.microsoft.com/Forums/en-US/23a990ed-6c07-4948-acf1-54aaca82e2d1/force-windows-machines-to-reenroll?forum=winserversecurity
If the reply is helpful, please Upvote and Accept it as an answer
Excuse me for the late reply (had a few weeks off..)
Thank you for your helpful information!
I have the GPO setting for 'Update certificates that use templates' on. Only my certificate template is schema version 1 and not 2. Is there a way I can upgrade this or so?
My steps now:
If there are any options to maybe 'upgrade' the cert schema version please let me know.
Thanks in advance!