This post is mostly sourced from https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-active-directory-certificate-service-from/ba-p/2328766, along with some helpful notes, screenshots, and code samples from my own experience. It’s mostly here for my own documentation purposes.
Backup the CA
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image.png)
Select backup options
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-1.png)
Generate and save a secure password
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-2.png)
Click Finish
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-3.png)
Export CA Registry Settings
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-4.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-5.png)
Copy the backup files to the new server
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-6.png)
Uninstall ADCS roles and restart the server
1 2 3 4 |
Remove-WindowsFeature -Name ADCS-Web-Enrollment -Confirm:$false Remove-WindowsFeature -Name ADCS-Online-Cert -Confirm:$false Remove-WindowsFeature -Name ADCS-Cert-Authority -Confirm:$false Restart-Computer |
Move alternative name (if in use) from old server to new server
1 |
netdom computername OLDCA.ad.domain.tld /remove PKI.ad.domain.tld |
1 2 |
netdom computername NEWCA.ad.domain.tld /add PKI.ad.domain.tld ipconfig /registerdns |
Install AD CS Roles on New Server
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-7.png)
Configure the CA (remember to log in with Enterprise Admin credentials)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-8.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-9.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-10.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-11.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-12.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-13.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-14.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-15.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-16.png)
Restoring the CA Backup
Stop the CA service
1 |
Stop-Service -Name CertSvc |
Edit the registry backup and update the WebClientCAMachine
and CAServerName
values
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-17.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-18.png)
Restore the CA backup
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-19.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-20.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-21.png)
Import the registry backup, and restart ADCS again
1 2 |
reg import .\CA_Backup.reg Restart-Service -Name CertSvc |
Unpublish default templates and publish custom templates
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-22.png)
Enable Directory Browsing for CertEnroll directory in IIS
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-23.png)
Copy over previous AIA files from old CA (unsure if actually needed, but easy enough to do)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-24-1024x577.png)
Verify the new CDP can be accessed internally and externally via AAD App Proxy
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-25.png)
Use pkiview.msc to verify CDP/AIA is valid (note, OCSP will be in an error state until reinstalled)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-26-1024x427.png)
Use certutil from a client to also verify CDP validity
1 |
certutil -url http://pki.corp.ajf.one/CertEnroll/AJF.ONE%20CORP%20SIGNING%20CA.crl |
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-27.png)
Reinstalling OCSP
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-28.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-29.png)
Reconfiguring OCSP
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-30-1024x516.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-31.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-32.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-33.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-34.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-35.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-36-1024x563.png)
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-37.png)
Verify OCSP Configuration
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-38-1024x657.png)
If the OCSP application does not appear in IIS, run the following to recreate it
1 |
certutil -vocsproot |
Validating everything via pkiview.msc
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-39-1024x499.png)
Export a local cert and verify it via OCSP with certutil -url
![](https://anthonyfontanez.com/wp-content/uploads/2023/05/image-40.png)
Congratulations! You’re done!
What is the behavior of the existing clients pointing to an existing OCSP responder, but was migrated to a new host? The existing machines pick up the new OCSP responder automatically or is there a manual process for updating them?
In my labs, I use an alias name for my CRL/AIA information, so in migrating the CA to a new host, the alias moves with it, and the OCSP responder continues to function as expected. If it moves to a new name, the CA configuration would need to be updated and new leaf certificated issued to endpoints to utilize the new responder before the old responder could be retired.