Overview

Certification authorities (CAs) are considered the central component of a public key infrastructure (PKI) solution. These CAs are designed to exist for many years, during which time the hardware that hosts the CA is probably upgraded and this article becomes relevant.

Upgrade Implementation Steps

Steps for upgrading existing Windows Server 2012 Certificate Authority (PKI Infrastructure) to Windows Server 2022.

1. Provision at least 3 new Windows 2022 Servers (1 offline server)
2. Power on existing root CA server
3. Back up the current 2012 CS server CA database and configuration
4. Export certificate database from root CS and intermediate CAs.
5. Export the current 2012 CS server registry keys.
   1. Open regedit
   2. HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> services -> CertSvc -> Configuration -> "Click Export of DB Cert Store name"
6. Remove all the 2012 CS roles from the current Windows Servers.
7. Install the CS role on new 2022 Windows Servers.
8. Open the registry backup file in notepad and find "CAServerName" attribute in that backup file and change it to the new FQDN host name of the CA server you're importing to.
9. After config setup, stop the certificate services
   1. net stop certsvc
   2. Import reg key after updating hostname in it (right-click select Merge)
10. Now you can restore the backup configuration on the 2 new CS intermediate servers that were exported from the old CA servers.

Backup CA Database

1. Note the certificate templates that are configured in the Certificate Templates folder in the Certification Authority snap-in. The Certificate Templates settings are stored in Active Directory. They are not automatically backed up. You must manually configure the Certificate Templates settings on the new CA to maintain the same set of templates.
2. Use the Certification Authority snap-in to back up the CA database and private key. To do this, follow these steps:
   1. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.
   2. Click Next, and then click Private key and CA certificate.
   3. Click Certificate database and certificate database log.
   4. Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server.
   5. Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.
   6. Type and then confirm a password for the CA private key backup file.
   7. Click Next, and then verify the backup settings. The following settings should be displayed:
      • Private Key and CA Certificate
      • Issued Log and Pending Requests
   8. Click Finish.

Roll-back Steps

1. Remove the CS role from the new 2022 Windows Servers.
2. Install the CS role on the old 2012 Windows Servers.
3. Edit the registry backup file to equal the old CA FQDN host name
4. Restore the backup configuration and registry key on the old CS 2012 servers.
5. Start up the CA Services