Has anyone tried doing this to confirm the steps are valid going from 2008 or 2012R2 to 2016 certificate services? It would be beneficial to IT Pros if Microsoft would validate the steps and mark the documentation in some way. The above quote should be "In THESE cases..."
I am not sure if I would migrate as the Hash and key lenght might need to be changed to be more secure. I know we have moved off of SHA1 to SHA256/512 and our root, Intermediate, & Issuing Keys are 4096, then our client keys are 2048. What I have done in the past is stand up the new environment. Create new Cert Templates and have the new server issue them. Stop issuing from the old servers, then we can make sure all the new certs are being issues from the new environment and then mirgate what we can to the new servers. That is my 2 cents.