Currently, we have 3 CA servers (two Windows 2012 servers one of which is also DC and one Windows 2016). We would like to export all active certificates from two Windows 2012 servers and then remove CA services from those two servers. We just want to have one CA server – Windows 2016. Right now, all three servers are issuing certificates. When we have new computer setup, any one of these CA servers issue the license.
On first Windows 2012 CA server (also DC), it has about 1300 certificates with 900 already expired (so about 400 active).
On the second Windows 2012 CA server, it has about 800 certificates and half of them are already expired.
On 3rd Windows 2016 CA server that we would like to keep, it has about 900 certificates with 450 already expired.
What is the best way to handle this situation? Any recommendation would be greatly appreciated.