2000 to 2008 R2 Certificate Authority Migration - Needs an CA Expert

Posted on 2011-10-17
Last Modified: 2012-06-21
inf02 = 2000 CA
inf03 = 2008 R2 CA


I have a 2008 R2 AD at that level.  I understand that there is no migration path from 2000 to 2008 R2 because it would be a 32 to 64 bit change.  A 2008 R2 CA has been installed along side of a 2000 CA.  The goal is to direct new clients to the new 2008 R2 CA through manual and autoentrollment, and then decommision the 2000 CA.  

On inf03 in Server Manager\AD Certificate Services\Enterprise PKI I see inf02 (v3.0) and the new CA is listed as inf03 (v0.0).  In AD Sites and Services\Services\Public Key Services, I see both CAs listed under AIA and CDP.  My certificate templates appear to show updated certificate template.  Certutil.exe -dump shows a certificate for both CAs when run from either the 2000 or 2008 R2 CA command prompt.

Before try to move this forward and create an enrollement policy, I wanted to see if there is a CA Expert that has experience with this situation.


Question by:MOITExperts
    LVL 15

    Expert Comment

    Well, I used to teach the Microsoft PKI Certification class and I also co-wrote a book on PKI...

    Why are you going direct from 2000 to 2008 R2?
    If you want to keep your certificates, might I suggest that you upgrade your PKI to Server 2003, then from server 2003 to 2008 R2.

    From 2000 CA to 2003 CA

    From 2003 to 2008

    Author Comment


    Thank you for your response.  

    The current 2000 box that is hosting our Enterprise CA has only 1.6 GB free.  I'm not able to do an in place upgrade of 2000 to 2003.  

    Also, it is our central threat management server.  The security admin is not able to move those services to another box  and the 2000 instructions state that the source CA must be renamed and removed from the network.    

    Also the second link you sent states that a 32 to 64 bit upgrade is not possible.  In the link below, MS states that 2008 R2 is 64 bit only, there is no OS upgrade path, the CA DB cannot be migrated.  Therefore a new CA will need to be created and the 2000 CA decommissioned.

    Thanks for the comment!

    LVL 31

    Accepted Solution

    If your root was still on 2000 then its probably getting about time to rekey anyways, which would mean a new root deployment regardless.  Upgrading a CA twice is just a lot of work, and although 32 to 64 bit is actually possible (contrary to much early mis-documentation), my recommendation is to start clean and do a gentle migration to the new CA rather than risk everything by upgrading the existing box and migrating the hardware.


    Get your new CA up and running, create a test template and verify that everything is working right for autoenrollment, manual enrollment, etc. Once you feel comfortable, issue an existing template over to the new CA and then delete it from the old CA (read: delete from certsrv.msc - certificate templates... do not delete from certificate templates MMC certtmpl.msc).  If you have a lot of clients, you should see results automatically, if not then you can use the templates mmc to right-click the template and re-enroll all certificate holders if you want to force it.

    When you're done, query the certificate database for the template you are using and filter the results for expiration date after right now.  Compare the results from both CAs, use a windiff program or use findstr in a batch file if its messy.

    Special note to pay attention to user encryption certificates (e.g. EFS or email encryption) to make sure you set up your new KRA and/or EFS DRA certificates early.  Also do the EFS certs separately than the machine certs since they directly involve people.  Set up a small pilot group to make sure everything goes smoothly (it should, but upgrading anything seems to cause an issue for somebody somewhere).

    When you're confident everything is migrated over, then you are ready to decomission the old CA - see

    If there's anything specific you're worried about, please ask.
    LVL 27

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now