Windows Server Migration Matrix for the Certification Authority

At the latest when the End of product support by the manufacturer (Microsoft) approaches, the question arises as to how and to which operating system a certification authority should be migrated.

Migration of the additional services such as Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP/CES), Online Responder (OCSP) and Network Device Enrollment Service (NDES) is not considered, as reinstallation on a new server is usually the most straightforward solution.

There are basically several ways to migrate a certificate authority to a new operating system:

  • Migration by means of in-place upgrade. Here, the existing operating system is upgraded directly to a new version.
  • Migration by means of backup and restore on a new system. A new server is installed in parallel and the certification authority is migrated to it. The old server is then taken out of service.
  • Establishing a new Certification Authority and migrating the issued certificates. This method involves setting up a completely new Certification Authority or Certification Authority hierarchy and then moving the contents of the old Certification Authority - i.e., its issued certificates - to the new Certification Authority by reissuing them. Both certification authorities exist in parallel until the old certification authority can be decommissioned.

Migration matrix for migration via in-place upgrade

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Instead of an in-place upgrade, it is strongly recommended to migrate the certificate authority to another server with a current operating system. See article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.

From/To20082008 R220122012 R220162019
2008./.YesYesNo No No
2008 R2No./. YesYesNo No
2012No No ./. YesYesNo
2012 R2No No No ./. YesYes
2016No No No No ./. Yes
2019No No No No No ./.

The success of an in-place upgrade also depends on installed third-party software. For example, a new Key Storage Provider (KSP) for a Hardware Security Module (HSM) may need to be procured and installed beforehand, or any existing policy modules (e.g. Forefront / Microsoft Identity Manager) may need to be updated first. It is therefore always recommended to give preference to the migration method using backup and restore.

The prerequisite for an in-place upgrade from Windows Server 2008 to Windows Server 2008 R2 or newer is that the original server was installed with the 64-bit version of Windows Server 2008. Otherwise, the only remaining option is to migrate using backup and restore.

Downgrading to an older operating system is generally not supported by the manufacturer for this scenario.

Migration matrix for migration via backup and restore to a new system

This method is described in the article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server " described.

From/To20082008/R220122012 R220162019
2008 R2NoYesYesYesYesYes
2012/R2NoNoNoYes YesYes
2016NoNoNoNoYes Yes

When migrating a certification authority from Windows Server 2008 to newer operating systems, a migration to Windows Server 2008 R2 or Windows Server 2012 must first be performed due to a change in the database engine.

Windows Server 2008 R2 can be migrated directly to newer versions up to Windows Server 2019.

Downgrading to an older operating system may work under certain circumstances, but is not supported by the manufacturer.

Establishment of a new Certification Authority and migration of issued certificates

With this variant, there are no restrictions on the upgrade paths, except that the new certification authority must use the same Certificate Template Generations must support like the old one.

Related links:

External sources