Migrate or Restore Windows Server 2012 R2 Certification Authority to a New Server

For the complete backup of Windows Server, the backup of individual components involving Certification Authority (CA) database and a private key. After backing up the CA components, they can be restored to a new server.

Three main components need to be backed up if you want to migrate or restore a Windows Server R2 certification authority CA.

  • The CA’s database
  • Private key
  • CA Registry settings

You will need a domain administrator or other user account has local admin and CA administrator permissions for logging on to the Windows Server 2012 R2 so that you can back up the CA database and private key. From the start screen or by using the icon on the desktop taskbar, click on the server manager to open it.

In server manager, go to the tools menu and select Certification Authority. The console of CA will open. Click on the CA in the left pane and select All Tasks from the menu and select Back up CA. In the items to backup, select CA certificate and Certificate database and database log and Private Key. Browse the location where you want to store backup files.

For protecting the CA certificate and private key, you can enter a strong password and then click on ‘Finish’.

Now, right click on the icon of PowerShell present on desktop taskbar and click on the option of ‘Run as an administrator’.

Type ‘net stop certsvc’ and press “Enter” so that the CA is unable to issue more certificates now.

To back up most of the configuration settings that are present in the system registry, go to PowerShell command prompt and type “reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration “c:\CAbackup\CAregsettings.reg”

After entering the command press enter.

Do modify “c:\CAbackup\CAregsettings.reg” to the correct path for your backup folder.

For restoring the private key and CA database, log on to Windows Server 2012 R2 with a domain administrator account or other user having complete access to the local server and CA. Open Server Manager and select Certificate Authority from the menu of Tools in Server Manager.

In the console of Certificate Authority, you can simply right click on the new CA in the left pane and select “All Tasks” from the menu then “restore CA”.

In the restore wizard, proceed on the welcome screen by clicking on Next. On the screen of Items to restore, check the following options:

Private key and CA certificate

  • Certificate database and certificate database log
  • Certificate database and certificate database log

Browse the folder where the backup files are located and click on OK to continue with the wizard.

Next will be the password screen where you have to enter and confirm a password which was used to protect the CA certificate and private key. Click next and then finish the wizard. After this process, you will be prompted to restart the AD CS service. Confirm the operation by clicking on Yes.

Now, we shall restore the registry settings of CA. But first, we shall backup the default settings in case of any problem encountered.  Run PowerShell as Administrator and in the command prompt, type “reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration”

“c:\CAbackup\defaultregsettings.reg” and press Enter. You have to modify “c:\CAbackup\defaultregsettings.reg” to the correct path for your backup folder.

Now, using the source CA, you will restore the registry settings. Type “net stop certsvc” and press enter for stopping AD and CS service.

Type reg import “c:\CAbackup\CAregsettings.reg”, replace “c:\CAbackup\CAregsettings.reg” with file name and path where you have backed up the registry settings.

In the above-mentioned procedure, it is assumed that source and target CA have same file paths and computer name. Thus, the server disk configuration will be identical.

Finish the restore process by making sure that you restart the AD CS service, by typing net start certsvc and pressing Enter at an elevated command prompt.

Leave a Reply