This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 99%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
I need to migrate our older PKI infrastructure to keep with updated OS.
Removing the whole PKI, building a new one and reissuing all CERT will require an unacceptable maintenance window.
I found several Blogs an articles on how to do it with a single tier and/or with same computer name and IP, but it's not my case.
We do have a Offline Root CA and Subordinate CA (Enterprise).
Both are published "CA Name" different from computer names (NetBIOS or FQDN).
CDP and AIA use a DNS alias in the http location.
We need to move de Enterprise SubCA to a LAN accesible VM on Azure. So no in-place upgrade possible.
Does the method like the link below would be valid for SubCAs too?
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
Also read that if the new server has a different ComputerName the registry backup of the CA branch should be edited to reflect the new one before merging.
Like:
Moving Certificate Services To Another Server
Thanks in advance,
Jose
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hi,
Based on my understanding , it should be ok .
When migrate the CA, we just need to keep the CA name the same as the old one.
The Hostname and the IP of the CA can be different from the old one.
This guide can be used to migrate a CA from a source server that is also a domain controller to a destination server with a different name. Following link for your reference:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11)
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
Does the method like the link below would be valid for SubCAs too?
Yes it still valid, because you will keep the same certificate with private key and same CA Name.
If you will change IP and VLAN , you have to check that you have all required network flows opened like old IP.
Please Don't forget to mark this reply as answer if it help you to fix your issue
Thanks. I'll see how it goes and let you know.
Jose
Reviewing the process, I found that on my current SubCA, the AIA URL points to:
http://corp-ca.mydomain.local/pki/<ServerDNSName>_<CaName><CertificateName>.crt
Although, the FQDN part would be the same changing the CNAME target to the new server.
The "ServerDNSName" part of the file name would be different.
How should I cope with that?
Should I add a new file and http location with the ServerDNSName part "static" using the "old" server DNS name until all certs issued by that server expires?
Jose
Hi,
I think the best way is to keep the same name.
You can duplicate manually the certificate of subca on web server where the old AIA URL points, rename it to respect the name of old AIA URL.
Please don't forget to mark this reply as answer if it help you to fix your issue