You are currently reviewing an older revision of this page.
Go to current version

Organizations have different reasons and requirements for upgrading or migrating to Active Directory Certificate Services (AD CS). They include:

  • An existing, properly implemented, and operating public key infrastructure (PKI) may require an upgrade to a newer Windows version to make use of new features.
  • Organizations may need to change or optimize their existing PKI. For example, the certification authority (CA) may have been installed on a domain controller, or incorrect configuration options may have been selected. To change the AD CS implementation so that it follows deployment best practices requires migration. In these cases, upgrading is optional and can be performed after the migration has been completed successfully.
  • Microsoft defines and publishes a support lifecycle for each of its products. We recommend upgrading to a newer product before the support lifecycle of a product has ended. For example, CAs running on the Microsoft Windows 2000 Server operating system should be upgraded to Windows Server® 2003 to be supported and can then be upgraded to Windows Server 2008.
  • Company mergers and reorganizations are a challenge for information technology (IT) departments and can be especially challenging for the PKI deployment. A PKI can be affected if organizational changes require naming changes or consolidation, or when encrypted information must be transferred to a new owner and encryption certificates be made available to the new owner.
Follow These Steps To Migrate A Root CA from 2003, to 2008/2008-R2/2012:

  • Backing up the CA on the first computer

  • Restoring the CA on the second computer

To back up a CA

  1. Open the Certification Authority snap-in.

  2. In the Certification Authority snap-in, right-click the A name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

  3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes.

  4. Specify an empty folder or storage media as the backup location, and then click Next.

  5. Type a password for the CA private key backup file, and type it a second time to confirm the password.

  6. Click Next, verify that the Private Key and CA Certificate and Issued Log and Pending Requests backup settings are displayed, and then click Finish.

  7. Click Start, click Run, type regedit, and then click OK.

  8. Locate and right-click the following registry subkey:


  9. Click Export.

  10. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

  11. Uninstall the CA from the old server, and then rename the old server or permanently disconnect it from the network.

Before you begin the restore procedure, confirm that the %Systemroot% folder of the target server running Windows Server 2008 matches the %Systemroot% folder of the server from which the backup is taken.

In addition, the location of the CA restore must match the location of the CA backup. For example, if you back up the CA from the D:\Winnt\System32\Certlog folder, you must restore the backup to the D:\Winnt\System32\Certlog folder. After you restore the backup, you can move the CA database files to a different location.

To restore a CA on a new server from a backup copy

  1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

  4. On the Specify CA Type page, click the appropriate CA type, and then click Next.

  5. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

  6. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

  7. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

  8. Click Next two times.

  9. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.

  10. On the Confirm Installation Options page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Install and wait until the setup process has finished.

  11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

  12. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly.

  13. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open theCertification Authority Restore Wizard.

  14. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes.

  15. Type the backup folder location, and then click Next.

  16. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed.

  17. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

Revert to this revision