Migration of Intermediate CA role from existing Win 2008 R2 to Win 2012 R2 STD RRS feed

  • Question

  • Hello, 

    I need some help in migrating my Intermediate CA role with all the issued certificates intact from existing Win 2008 R2 server to Win 2012 r2 OS. Below are the steps I tried but getting stuck to progress further to complete the task. 

    Objective: Build a new Vm with Win 2012 R2 - Migrate the CA role to new server with all issued certs - at Cutover, shutdown Source server and rename the Target server to use existing Server name - activate new server as new Intermediate CA server and after 2-3 weeks decommission the ole server. 

    Steps taken: 

    1. Taken Clone of the source VM, changed the SSID and hostname - performed Inplace OS upgrade to Win 2012 r2 STD. But after the OS upgrade the 'Certificate Authority' role was no more showing installed on it. So couldn't proceed and can't take risk of performing Inplace OS upgrade on source server as multiple system and application is using certs issued by this server and any issue with inplace upgrade on actual server may result in invalidation of certs. 

    2. Built a parallel VM with vanilla Win 2012 r2 OS and applied latest security Patches on it. Took 'Backup of CA' from Source and 'Restored CA' at new server. Here I have 2 challenges : 

    a. For integrating intermediate CA with Enterprise Root CA, I need to create a Certificate request file (.req) from new Intermediate CA and then only I can issue cert against it from Enterprise Root CA and get it installed on the new Intermediate CA. How can I create this as at new Intermediate CA, I do not get drop down menu to choose 'Subordinate CA' when tried accessing http:\\<ServerIPAddress>\CertSrv - getting error https has to be enabled (for this i believe a cert has to be chosen at IIS to have port 443 enabled). 

    b. Do I have to manually migrate all the Personal certs from existing Intermediate CA on Win 2008 to new server running Win 2012 R2 ? 

    Please advise to achieve this migration without breaking the integrity of the Licenses issued or going to be issued.

    • Moved by Dave PatrickMVP Thursday, September 12, 2019 9:05 PM not reporting forums application issues
    Thursday, September 12, 2019 8:56 PM