How to Move AD Certificate Authority Role to Another Server

Step 1: Backup CA database and its configuration

Go to Start > Administrative Tools > Certificate Authority Right Click on Server Node > All Tasks > Backup CA 



Select both checkboxes


Enter a Password for Private Key and CA certificate file


Complete the wizard

Step 2: Backup CA Registry Settings

Run > type regedit and click OK

Expand the key in following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

Right click on the Configuration key and click Export and Save.




Step 3: Uninstall CA Service From the Old Server

Server Manager> Local Server > Scroll Down and Find Roles and Features > Select Task > Remove Roles and Features and Untick Active Directory Certificate Services > Click Next > Complete the wizard.

After the the uninstallation Reboot the server.


Step 4: Install CA Role on the New Server

 Start Server Manager > Add Roles and Feature > Next > Next> Select Active Directory Certificate Services> Next > Select > Certification Authority > Complete the Wizard. 



Step 5: CA Post Deployment Configuration

On Server Manager, we can see a pending configuration for CA. Click Configure...


Select Certification Authority



Select Enterprise CA



Choose Root CA



Choose Use existing private key



Click Import



Browse the private key file and enter its password



Click Next



Click the Configure button







Step 6: Restore CA Configuration and Registry

Start Certification Authority Console > Right click server > All Tasks > Stop Service




 Right click server > All Tasks > Choose Restore CA



Private Key and Database folder must be in a folder (CABackup), Browse to that folder and cclick Next


Enter private key password


Complete the wizard


Select No. Because we need to modify and merge the registry backup file.



Right click the registry file and select merge



Now we can start the CA Service. The CA configuration will retain the CA name of the former server because of the restore


Finally We need to re-issue the certificates we had in the old server. Right Clixk certificate templates > New > Certificate Template To Issue> Select the certificates you need to use

  • Hits: 691