I'm looking for some guidance on upgrading my Certificate Authority (CA) Windows servers. I currently have two A servers: an offline root and an online issuing CA, both running Windows Server 2016. I'd like to upgrade to a more recent version of Windows. Is there a recommended method to set up new servers and transfer the CA database?
2 Answers
The best approach is to build new servers using Windows Server 2025. First, back up the CA database and keys using the command certutil -backupDB. After that, set up your new issuing CA and restore the database there. This way, you avoid the risks of an in-place upgrade and ensure that your CRL remains valid during the transition.
So just to confirm, it's back up the database, take down the old server from Active Directory, and then restore the backup to the new server with the same name, right?
My experience was a bit different, but I managed to upgrade both my offline root and subordinate CA to Server 2022 without issues. While an in-place upgrade (IPU) is supported, just make sure you have backups before starting. I went from 2012 R2 to 2019 and then 2022 for my offline root, and it was straightforward. The subordinate CA was already on Server 2019 and upgraded quickly to 2022.
I found Microsoft's documentation on this process helpful too! It outlines the migration steps clearly. Definitely avoid an in-place upgrade for the CA.