We are looking to replace/upgrade our existing Windows server 2008 R2 Certificate Authority Servers. There is the root server which is non domain joined and a subca which is domain joined. The private key expired about 5 years ago and was never renewed. We are building new 2019 CA servers. Do I try to renew then move the old expired server over to the new servers or just start from scratch and create a new private key.
Since the 2008 expired 5 years ago, there are no current valid certificates in circulation.
There are no certificates that need to be revoked/etc.
You can as you have start from scratch and once you complete the new CA, you can add register it on the AD while removing the old record/ You can then update the certificates on the issuing CA's by having their Certs signed by the new CA (potentially after you update the cipher from SHA to SHA256 if not done already.
You would also need to publish the New CA's Certficate as a trusted authority in the AD GPO ....