Skip to main content

Migrating an exportable Private Key

The procedure here assumes that you already have

  • A current backup of AD CS certificate, private key, database, and registry settings (see Backup AD CS)
certutil -backup myDemoCA KeepLog

reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc myDemoCA\myCAregistry.reg
  • Re-/Installed AD CS on the new server (Add roles and features), but not yet configured!

Configuring New AD CS instance

  • Configure a new AD CS service and continue until you get to the Private Key section:
  • Select Use existing private key and the option Select a certificate and use its associated private key and click Next

  • Click Import in the AD CS Configuration window, select the PKCS#12 backup file containing the private key to import and select the imported certificate:

  • Click Next, leave the default database and log file settings, click Next and click Configure.
  • Open a Command Shell with administrator rights and stop the AD CS services by running the following command:
net stop certsvc

The Active Directory Certificate Services service is stopping.
The Active Directory Certificate Services service was stopped successfully.
  • Restore the AD CS backup using the Restore wizard:

  • Select both options, and indicate the directory where the backup is located.

  • Click Next and provide the password for the protected PKCS#12 container.
  • Click Next, verify the information and click Finish.
  • Click No as we will restart AD CS services later.

  • Restore Registry Information:
    Open the previously exported registry file in your preferred editor.
    Locate CAServerName and change the value to your new Windows server name, e.g.: "CAServerName"="W19SD-TEST"
  • Save the file and run it to import the registry values.
  • Restart AD CS services via GUI or use the command:
net start certsvc