At the latest when the End of product support by the manufacturer (Microsoft) approaches, the question arises as to how and to which operating system a certification authority should be migrated.
Migration of the additional services such as Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP/CES), Online Responder (OCSP) and Network Device Enrollment Service (NDES) is not considered, as reinstallation on a new server is usually the most straightforward solution.
There are basically several ways to migrate a certificate authority to a new operating system:
- Migration by means of in-place upgrade. Here, the existing operating system is upgraded directly to a new version.
- Migration by means of backup and restore on a new system. A new server is installed in parallel and the certification authority is migrated to it. The old server is then taken out of service.
- Establishing a new Certification Authority and migrating the issued certificates. This method involves setting up a completely new Certification Authority or Certification Authority hierarchy and then moving the contents of the old Certification Authority - i.e., its issued certificates - to the new Certification Authority by reissuing them. Both certification authorities exist in parallel until the old certification authority can be decommissioned.
Migration matrix for migration via in-place upgrade
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Instead of an in-place upgrade, it is strongly recommended to migrate the certificate authority to another server with a current operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.
| From/To | 2008 | 2008 R2 | 2012 | 2012 R2 | 2016 | 2019 |
| 2008 | ./. | Yes | Yes | No | No | No |
| 2008 R2 | No | ./. | Yes | Yes | No | No |
| 2012 | No | No | ./. | Yes | Yes | No |
| 2012 R2 | No | No | No | ./. | Yes | Yes |
| 2016 | No | No | No | No | ./. | Yes |
| 2019 | No | No | No | No | No | ./. |
The success of an in-place upgrade also depends on installed third-party software. For example, a new Key Storage Provider (KSP) for a Hardware Security Module (HSM) may need to be procured and installed beforehand, or any existing policy modules (e.g. Forefront / Microsoft Identity Manager) may need to be updated first. It is therefore always recommended to give preference to the migration method using backup and restore.
The prerequisite for an in-place upgrade from Windows Server 2008 to Windows Server 2008 R2 or newer is that the original server was installed with the 64-bit version of Windows Server 2008. Otherwise, the only remaining option is to migrate using backup and restore.
Downgrading to an older operating system is generally not supported by the manufacturer for this scenario.
Migration matrix for migration via backup and restore to a new system
This method is described in the article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server " described.
| From/To | 2008 | 2008/R2 | 2012 | 2012 R2 | 2016 | 2019 |
| 2008 | Yes | Yes | Yes | No | No | No |
| 2008 R2 | No | Yes | Yes | Yes | Yes | Yes |
| 2012 | No | No | Yes | Yes | Yes | Yes |
| 2012/R2 | No | No | No | Yes | Yes | Yes |
| 2016 | No | No | No | No | Yes | Yes |
| 2019 | No | No | No | No | No | Yes |
When migrating a certification authority from Windows Server 2008 to newer operating systems, a migration to Windows Server 2008 R2 or Windows Server 2012 must first be performed due to a change in the database engine.
Windows Server 2008 R2 can be migrated directly to newer versions up to Windows Server 2019.
Downgrading to an older operating system may work under certain circumstances, but is not supported by the manufacturer.
Establishment of a new Certification Authority and migration of issued certificates
With this variant, there are no restrictions on the upgrade paths, except that the new certification authority must use the same Certificate Template Generations must support like the old one.
Related links:
- Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012
- In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012
- In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016
- Description of certificate template generations
External sources
- Overview of Windows Server upgrades (Microsoft)
- Upgrade and conversion options for Windows Server 2016 (Microsoft)
- Install, upgrade, or migrate to Windows Server (Microsoft)
English 
Deutsch
4 thoughts on “Windows Server Migrations-Matrix für die Zertifizierungsstelle”
Comments are closed.