Migrating an Online Issuing CA & OCSP

This post is mostly sourced from https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-active-directory-certificate-service-from/ba-p/2328766, along with some helpful notes, screenshots, and code samples from my own experience. It’s mostly here for my own documentation purposes.

Backup the CA

Select backup options

Generate and save a secure password

Click Finish

Export CA Registry Settings

Copy the backup files to the new server

Uninstall ADCS roles and restart the server

Move alternative name (if in use) from old server to new server

Install AD CS Roles on New Server

Configure the CA (remember to log in with Enterprise Admin credentials)

Restoring the CA Backup

Stop the CA service

Edit the registry backup and update the WebClientCAMachine and CAServerName values

Restore the CA backup

Import the registry backup, and restart ADCS again

Unpublish default templates and publish custom templates

Enable Directory Browsing for CertEnroll directory in IIS

Copy over previous AIA files from old CA (unsure if actually needed, but easy enough to do)

Verify the new CDP can be accessed internally and externally via AAD App Proxy

Use pkiview.msc to verify CDP/AIA is valid (note, OCSP will be in an error state until reinstalled)

Use certutil from a client to also verify CDP validity

Reinstalling OCSP

Reconfiguring OCSP

Verify OCSP Configuration

If the OCSP application does not appear in IIS, run the following to recreate it

Validating everything via pkiview.msc

Export a local cert and verify it via OCSP with certutil -url

Congratulations! You’re done!