How to migrate CA Root from server to another

This article shows you exactly how to migrate CA Root to another server. The new server can be anything from 2008 to 2012 R2.

In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

Select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify an empty folder or storage media as the backup location.

Type a password for the CA backup file.

Click Finish.

Open Regedit and Locate and right-click the configuration registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration
Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.


Now you should have below all files.

Uninstall the CA from the old server.





Copy the above backup folder to same location in the new server.

Add “Active Directory Certificate Services”





On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

Click Import…









Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings.


Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.


Locate the backup folder location.



Click Yes to restart AD CS when the CA database is restored.


Change the following registry entries with new server FQDN.

Source: http://www.doitfixit.com/index.php?option=com_content&view=article&id=129:move-certificate-authority-to-another-server&catid=48:active-directory&Itemid=53