Home

Migrating Certificate Services

%3CLINGO-SUB%20id%3D%22lingo-sub-113078%22%20slang%3D%22en-US%22%3EMigrating%20Certificate%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113078%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20into%20migrating%20our%20Certificate%20Services%20running%20on%202008R2%20to%202016.%26nbsp%3B%20There%20is%20no%20documentation%20specifically%20for%20migrating%20the%20role%20to%202016%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fmigrate-roles-and-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fmigrate-roles-and-features%3C%2FA%3E%20.%26nbsp%3B%20However%20it%20says%20%22In%20many%20cases%2C%20the%20steps%20in%20the%20Windows%20Server%202012%20R2%20migration%20guides%20are%20still%20relevant%20for%20Windows%20Server%202016%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20guide%20for%20migrating%20the%20role%20from%202008R2%20to%202012R2%20here%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fdn486797.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fdn486797.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%3C%2FA%3E%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20tried%20doing%20this%20to%20confirm%20the%20steps%20are%20valid%20going%20from%202008%20or%202012R2%20to%202016%20certificate%20services%3F%26nbsp%3B%20It%20would%20be%20beneficial%20to%20IT%20Pros%20if%20Microsoft%20would%20validate%20the%20steps%20and%20mark%20the%20documentation%20in%20some%20way.%26nbsp%3B%26nbsp%3B%26nbsp%3B%20The%20above%20quote%20should%20be%20%22In%20THESE%20cases...%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-113078%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-115640%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20Certificate%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-115640%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20not%20thought%20of%20that%20Mike%2C%20I%20will%20investigate%20that%20route.%26nbsp%3B%20What%20are%20your%20thoughts%20of%20doing%20in%20place%20upgrades%20of%20the%20host%20OS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-113096%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20Certificate%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113096%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20not%20sure%20if%20I%20would%20migrate%20as%20the%20Hash%20and%20key%20lenght%20might%20need%20to%20be%20changed%20to%20be%20more%20secure.%26nbsp%3B%20I%20know%20we%20have%20moved%20off%20of%20SHA1%20to%20SHA256%2F512%20and%20our%20root%2C%20Intermediate%2C%20%26amp%3B%20Issuing%20Keys%20are%204096%2C%20then%20our%20client%20keys%20are%202048.%26nbsp%3B%20What%20I%20have%20done%20in%20the%20past%20is%20stand%20up%20the%20new%20environment.%26nbsp%3B%20Create%20new%20Cert%20Templates%20and%20have%20the%20new%20server%20issue%20them.%26nbsp%3B%20Stop%20issuing%20from%20the%20old%20servers%2C%20then%20we%20can%20make%20sure%20all%20the%20new%20certs%20are%20being%20issues%20from%20the%20new%20environment%20and%20then%20mirgate%20what%20we%20can%20to%20the%20new%20servers.%26nbsp%3B%20%26nbsp%3BThat%20is%20my%202%20cents.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Prayer Solanky
Occasional Contributor

I am looking into migrating our Certificate Services running on 2008R2 to 2016.  There is no documentation specifically for migrating the role to 2016 here https://docs.microsoft.com/en-us/windows-server/get-started/migrate-roles-and-features .  However it says "In many cases, the steps in the Windows Server 2012 R2 migration guides are still relevant for Windows Server 2016".

 

There is a guide for migrating the role from 2008R2 to 2012R2 here https://technet.microsoft.com/library/dn486797.aspx?f=255&MSPPError=-2147217396 .

 

Has anyone tried doing this to confirm the steps are valid going from 2008 or 2012R2 to 2016 certificate services?  It would be beneficial to IT Pros if Microsoft would validate the steps and mark the documentation in some way.    The above quote should be "In THESE cases..."

2 Replies

I am not sure if I would migrate as the Hash and key lenght might need to be changed to be more secure.  I know we have moved off of SHA1 to SHA256/512 and our root, Intermediate, & Issuing Keys are 4096, then our client keys are 2048.  What I have done in the past is stand up the new environment.  Create new Cert Templates and have the new server issue them.  Stop issuing from the old servers, then we can make sure all the new certs are being issues from the new environment and then mirgate what we can to the new servers.   That is my 2 cents.

I had not thought of that Mike, I will investigate that route.  What are your thoughts of doing in place upgrades of the host OS.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies