Hey everyone,
I'm looking to upgrade our Certificate Authority (CA) from Windows Server 2012R2, and I'm a bit lost since I wasn't part of the original setup over a decade ago. We have an offline root CA that's only booted once a year for CRL publishing and maintenance, as well as an online intermediate CA and two CDP/AIA servers.
I've found some guides, but they don't cover my specific situation in detail. I'm wondering about the process for the offline root CA — do I need to uninstall the CA role from the old virtual machine? How will this affect Active Directory since the root CA isn't joined to it? Was it ever joined originally? Should I consider temporarily joining it just to remove the role, or am I overthinking this? Any advice on how to best handle this offline root would be greatly appreciated!
Also, I might have a follow-up question about domain controller cert key sizes if any MS CA experts are around. Thanks!
1 Answer
When I upgraded from 2012R2 to 2019 for some root CAs, I didn't remove the role on the old VM. I just backed up what I needed, powered it down, and renamed the VM. Your offline root shouldn't have ever been part of the domain, and you definitely shouldn't make it domain-joined now. Keeping it isolated is a good practice.
Thanks for confirming! It makes sense now and I feel a bit silly for stressing over this. I plan to tackle the root CA later today, then I can freak out about the online servers next!