Upgrade your Root CA to Windows 2012 R2 – PKI

I was doing an upgrade for a Certificate Authority Windows Server acting as a stand alone Root CA from Windows 2008 R2 to Windows 2012 R2. The procedure is the same if you are upgrading form previous Windows versions.

To the upgrade, you have to do the following:

  • Backup the old Root CA.
  • Install Certificate Services in a new Windows 2012 R2.
  • Restore the DB, Private Key, and the CertSvc registry key on the Windows 2012 R2 server.
  • Perhaps decommission or destroy the old Root CA.

Backup the old Root CA

Let me say this. A Certification Authority Service is nothing but three components:

  1. The Certification Authority Private Key.
  2. The Certification Authority Database Files (DB and Log) : here is where all issuer and revoked certificate information resides.
  3. The Certification Authority Configuration : This is where all CA settings are preserved, like the CA CDP and AIA locations. The whole configuration is stored in this registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc].

Certificate templates are stored in Active Directory under the Configuration Partition, so no need to worry about them.

 So let us start performing a full backup of the old CA server:

  • Log on to your Root CA, open the Certificate Authority console.
  • Right click the CA name and go to All Tasks> Back up CA..


  • Click Private key and CA Certificate and Certificate database and certificate database log. Choose a backup directory
  • You have to protect the exported private key with a password. Enter a strong password. Click Next and you are done.



  • Now open the registry and Export the following registry: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc.


  • It is also a good idea to backup the CAPolicy.inf file located at C:\Windows directory if it exist.
  • Finally, make sure you document the state of the old Root CA, like:
    • Server Name
    • Drives layout
    • Location of the folders where the CA database and logs are stored
  • I also recommend taking Full Server Backup and System State backup to the old Root CA server just in case. System State backup is the best bit for restoring a CA server.

Note: A good way to document the configuration of the CA is to use certutil –getreg command [check this article]. You can output the result in text file if you want by typing:

certutil –getreg  > C:\oldCA_config.txt


Restore Root CA to Windows 2012 R2

Install Windows 2012 R2 on a new server with same name and drives layout, make sure it is fully patched, and then follow the below steps:

  • If in the old Root CA, you are storing the CA database in C:\DB and the CA DB logs at C:\Logs, then make sure to create these folders in advance on the new Windows 2012 R2 server.
  • It is recommended that drives match. So if you have C and D drives in the old Root CA, make sure you have the same drives on the new Windows 2012 R2 server.
  • Go to Server Manager and Click Add roles and features.


  • Click Active Directory Certificate Services.


  • Since this is Root CA, only pick the Certificate Authority role service. Complete the wizard till the end.


  • Go to Server Manager again, click the flag icon that has a warning sign on it, and choose to Configure Active Directory Certificate Services... .


  • Select Certification Authority for services to configure.





  • In this step, you have to choose the old Root CA private key file that you have from your backup.


  • In the Certificate Database location page, make sure to choose the same location the old Root CA has. Pre-create folders if you are using custom locations.



  • Now we have installed the Root CA on a new server and the only thing we have restored is the CA Private key.
  • Open the Certification Authority Console. Right click the CA name, and choose All Tasks > Restore CA.. .


  • Choose only Certificate database and certificate database log. No need to choose Private key and CA certificate as this was restored during the installation.

Note: An important note to mention here is the following. If you have clicked Browse and you’ve picked the folder named Database that the Backup wizard in the old Root CA generated before, you will get an ugly error. The restore wizard expects you to choose a folder that contains a sub-folder called DataBase, not to choose the DataBase folder itself.


  • Finally, browse the registry to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, and backup that registry location just in case.
  • Then go to to your backup, copy the registry key backup that you made for the same registry location, right click it and click Merge.


  • The registry keys you have merged contains all the CA settings, including the CDP and AIA extensions.  Just to make sure everything is fine, open the CA properties on the new Root CA, and compare them with the old Root CA properties. Pay attention to the Extension tab.

Final Tasks

Finally, I would go and use the Backup CA wizard in the new CA, to backup the private key and database files, and i would also using Windows Backup to take Full Server backup to the new CA just in case. Do not forget to reset the local administrator password and use complex one instead.

As for the old CA, usually it is a virtual machine, i would typically destroy the VM and that’s it.

I want also to recommend this YouTube video that goes through the whole process.

16 comments on “Upgrade your Root CA to Windows 2012 R2 – PKI

  1. Pingback: SHA-2 Support – Migrate your CA from CSP to KSP | Ammar Hasayen - Blog

  2. Pingback: SHA-1 Broken, Migrating to SHA-2 | Ammar Hasayen - Blog

  3. Pingback: Deploy Offline Root CA in Windows 2012 R2 – SHA-2 Ready | Ammar Hasayen - Blog

  4. Hi Ammar, thank you for the article, it’s very helpful.

    I currently have a 2-tier PKI setup, an offline root CA (W2008R2/old physical desktop hardware) and two issuing servers (W2008R2/VMs).

    The root CA resides old hardware and needs to be refreshed. The plan is to install a new offline Root CA on new hardware with W2012R2 OS.

    From reading your article, can I simply follow your process to replace my offline CA? There is no plan to change the issuing sub-ordinate CA’s at the moment.

    Thx, Brian

  5. Hi Ammar,

    Why aren’t you suggesting (or mentioning) an in place upgrade for a offline Root CA? That is, from W2008R2–>W2012R2…

    • Thanks for your feedback. It is so easy and straight forward to do new installation that is clean and eliminate any issues of in place upgrade. This is only my point of view and how i personally do it.

  6. Ok, normally I think the same… however this time I see advantages in doing an in-place upgrade, biggest being that I don’t have to migrate any OS settings for the Root CA, also don’t have a second physical box on which to build a second machine.

  7. Hi, I had a 2-tier PKI setup, an standalone offline root CA (W2008R2/VM and one enterprise issuing subordinate server (W2008R2/VMs). I’ve just installed new VM Win2012R2 and migrated (certificates, keys, logs, registry) Root CA to new 2012R2 VM. If I now set Root CA to issue new certificates as SHA-2 (certutil -setreg ca\csp\CNGHashAlgorithm SHA256),… will “old” server certificates (that were issued from subordinate CA) still work? And after “upgrading” issuing CA to SHA-2, will old SHA-1 server certificate still work?

  8. I have a 2008 CA that I would like to move to an existing 2012 server (with other things installed on it). That will make the SHA1 to SHA256 process easier (it was originally 2003 so it’s a two-part conversion). The CA name will remain the same. I would be able to retire the existing CA server at the end of the process but not rename the new target server. I did some registry/some AD configuration changes the previous time I migrated it (again to a new server name). Have you worked with those or should I just add the “old” server DNS name as an alias to the new target?

    • The CA should definitely have the same name. It can be successfully moved to a different server name – there is some advanced configuration that needs to be done to add the legacy server name so old certs are still recognized. This should be in the MS long form KB article with how-tos, sorry, don’t have it handy.

  9. Dear Ammar, My customer running a 2-tier PKI Setup, Enterprise root CA (2008R2) and Subordinate CA(2008R2) for issuing Certs. Can I follow the same to procedure to get the Root and Subordinate CA to Windows 2016? Also if its possible what sequence should i follow. Migrate Root CA first and then Subordinate CA or vice versa. Please advise.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s