I need to migrate our older PKI infrastructure to keep with updated OS.
Removing the whole PKI, building a new one and reissuing all CERT will require an unacceptable maintenance window.
I found several Blogs an articles on how to do it with a single tier and/or with same computer name and IP, but it's not my case.
We do have a Offline Root CA and Subordinate CA (Enterprise).
Both are published "CA Name" different from computer names (NetBIOS or FQDN).
CDP and AIA use a DNS alias in the http location.
We need to move de Enterprise SubCA to a LAN accesible VM on Azure. So no in-place upgrade possible.
- CA name will be the same
- IP address of the CA server will be different
- Hostname of the CA server will be different.
Does the method like the link below would be valid for SubCAs too?
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
Also read that if the new server has a different ComputerName the registry backup of the CA branch should be edited to reflect the new one before merging.
Like:
Moving Certificate Services To Another Server
Thanks in advance,
Jose