Decommission / migrate root forest Certificate Authority.

What are the best steps to decommission / migrate an enterprise CA, its installed on a domain controller, its the last 2003 DC in the environment so I'd like to decommission the so we can raise domain function level.

It only has 16 Domain Controller Certificates Issued, so isn't doing much since migrating off Lync etc, all the old expired web server certs have been revoked.

Once complete we will bring in a 2012R2 CA for general use (on a member server not a DC I know).

So can we uninstall the CA and build a new one or migrate some how?

Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
backup old CA along with database and certificate - MS documentation is available for same
uninstall CA authority from 2003 CA (DC)
decommission 2003 DC after CA removal
now raise your functional levels and you have two options now
either restore above backup on new 2012 server as restored CA with same name as old 2003 OR
you can ignore old unused CA and create brand new enterprise CA
David FavorConnect With a Mentor Linux/LXD/WordPress/Hosting SavantCommented:
This is very easy.

Just do nothing.

Applications using CAs - browsers, email, etc... - access many CAs, so when you add a private/custom CA, you're just adding another CA to a list.

Just create your new CA + add it to your application's CA list.

Or better, use which has been offering free SSL certs for years.

Using LE, means you skip the entire private CA generation step, as the LE issuer chain is baked into all SSL aware tools at this point.
RCoTeamAuthor Commented:
thanks Mahesh, I thought as much.   That's what I've now done, looks good.
Help close
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.