Tasks:

  • Move the existing Enterprise Root CA from Server A to Server B.
  • Change the Cryptographic Service Provider from Microsoft Strong Cryptographic Provider to the Key Storage Provider

  • Change the CA hash algorithm from SHA-1 to SHA-256



So the mission is given. But how can we do that?

The sort answer is: in two steps.



Unfortunately we cannot migrate the CA database directly form Server 2008 to Server 2016 because the JET database engine changed so much between the two versions that if we restore the backup we get a JET version error at startup and the CA won't start.

But if we add one more step we can successfully fulfill the above tasks.

This additional step is to first restore the DB backup to a Server 2012 R2 CA and then backup the DB again form there. This new backup now can be restored to the Server 2016 CA.



Here are the details:

First we have to create the necessary backups from our Server 2008 CA.

These are the steps I made:

  • Publishing a CRL with a Long Validity Period
  • Backing up a CA database and private key

  • Backing up CA registry settings

  • List the certificate templates for an enterprise CA

  • Verify the Issue and Manage Certificates permissions

To learn in detail how to do these steps here is a great article: https://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx



After these steps completed successfully we should uninstall the AD CS role from the server.

As we migrate it to a new machine this step is very important, because otherwise the new server won't be able to register itself in under Enrollment Services in the AD.

If the uninstall process succeeded, we can move on and do the "extra step" on the way of getting a 2016 CA.



I used Windows Server 2012 R2 machine joined the domain and the AD CS role installed.

Start the post deployment wizard and complete the following steps:

  • Select Enterprise CA
  • Select Root CA
  • On set up private key screen select use existing private key and import the key you had backed up.
  • Finish the further steps in the wizard.

Next we restore the CA Database.

(If you need detailed instructions how to complete the above steps you can find it in this article: https://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx)



After the restore I could start the CA service successfully.

Then I made a backup of the CA database this time on the Server 2012 R2 machine.

After the backup stop the CA and very important uninstall the CA role from the server!

Now we are ready to configure the CA on its final place on the Server 2016 machine.

The step can be familiar.

Start the post deployment wizard and complete the following steps on Server 2016 machine:

  • Select Enterprise CA
  • Select Root CA

  • On set up private key screen select use existing private key and import the key you had backed up.

  • Finish the further steps in the wizard.

  • We restore the CA Database.

  • Restoring the CA Registry Configuration.

           Before I did this I had to analyze the registry file and modify it on some point.

                What I modified is:

    • CAServerName value

                Check these values:

    • DBDirectory
    • DBLogDirectory
    • DBSystemDirectory
    • DBTempDirectory

                (I didn't have to modify them)

  • Import the modified registry file.
  • Reassign the custom certificate templates to the CA.

(More detailed you can find the steps in this article: https://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx)



The CA is now up and running but it is worth to check the security settings and AD permissions in ADSIEdit.

With this we are ready with the migration.



Now the change of the Cryptographic Service Provider and Change the CA hash algorithm from SHA-1 to SHA-256 is very straightforward based on this article:

https://technet.microsoft.com/en-us/library/dn771627(v=ws.11).aspx