Certificate Authority Transfer RRS feed

  • Question

  • Currently, I have the ADCS role on my 2012 server.  I would like to move all roles to my 3 new 2016 servers. I have moved FSMO roles and only have one thing left that my 2012 server is doing, which is ADCS. 

    I was going through but this says to choose the root ca > all tasks > backup and I did not see that option. 

    I have a few screenshots of what my Certification Authority looks like; only two folders have contents in the snap in.!Ap-oFmKTDirLgRKYX8kqRLrCnADJ

    For reference, DC2 is the 2012 server, Peach, Toad and Waluigi are the new 2016 servers. I would like to install the ADCS role on Waluigi and have that server take it over

    Friday, October 5, 2018 4:55 PM

All replies

  • So, I found the place to backup our root CA. But I'm wondering if I can just bring up Certificate Services on my new server and have my servers (the only ones who have ca's) request a new cert from the new certification authority server, which is my 2016 server. Because my new 2016 server will not have the same name as my old server that I'm moving off the network.
    Monday, October 8, 2018 3:45 PM
  • Well, perhaps the best way is to rebuild your PKI starting with an offline Root CA server. Then install your online CAs and issue new certificates wherever you have them from the new Issuing CAs. Take the time and plan it well.

    A reasonable paper on this is available here: Two Tier PKI 

    Hope that helps,


    Monday, October 8, 2018 8:37 PM
  • Before you responded, i followed this article:

    I completed it successfully but am concerned with the end result and whether I'll have issues. The new server,  TOAD is hosting certification services but the root CA shows DC2, the old cert services server that i escorted from and removed the role from. 


    Is this a problem? If so, any idea how id connect it?

    • Edited by Tunamelt Tuesday, October 9, 2018 2:39 AM
    Tuesday, October 9, 2018 2:31 AM
  • I should also note, I took this IT role over from a previous IT guy who left and disappeared. we don't use RADIUS or any other service that might use CA. is there even a critical need to have ca? Is it safe to just remove the CA role all together? By following:

    Is there a downside to removing CA if we run a simple network with no external network connections and our website is hosted elsewhere? The only issued certs are for the DC's on our network

    • Edited by Tunamelt Tuesday, October 9, 2018 2:53 AM
    Tuesday, October 9, 2018 2:37 AM
  • If all you have are Domain Controller certs issued from your single CA, you first want to think about why you have them. Judging by the low number of certs issued and only to DCs in your environment, it may be a simple matter of following the documentation you have for removing the CA following all of the steps. If you decide not to remove the CA, you need to rebuild as your current deployment is not best practice by a lot.

    However, there are many very good reasons to deploy a PKI in a network as you describe. Some main reasons would be secure authentication, encrypted secure email, code signing, SSL/TLS encryption in web-based  applications and implementations. These would be a few worthy considerations at least noting you have a off-site hosted web presence.

    The degree of risk and necessity to secure your data assets makes considering the deployment of a well designed PKI that more critical in your overall business plan.

    Hope that helps,


    Sunday, December 30, 2018 3:43 AM