Migrating Certificate Services

%3CLINGO-SUB%20id%3D%22lingo-sub-113078%22%20slang%3D%22en-US%22%3EMigrating%20Certificate%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113078%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20into%20migrating%20our%20Certificate%20Services%20running%20on%202008R2%20to%202016.%26nbsp%3B%20There%20is%20no%20documentation%20specifically%20for%20migrating%20the%20role%20to%202016%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fmigrate-roles-and-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fmigrate-roles-and-features%3C%2FA%3E%20.%26nbsp%3B%20However%20it%20says%20%22In%20many%20cases%2C%20the%20steps%20in%20the%20Windows%20Server%202012%20R2%20migration%20guides%20are%20still%20relevant%20for%20Windows%20Server%202016%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20guide%20for%20migrating%20the%20role%20from%202008R2%20to%202012R2%20here%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fdn486797.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fdn486797.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%3C%2FA%3E%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20tried%20doing%20this%20to%20confirm%20the%20steps%20are%20valid%20going%20from%202008%20or%202012R2%20to%202016%20certificate%20services%3F%26nbsp%3B%20It%20would%20be%20beneficial%20to%20IT%20Pros%20if%20Microsoft%20would%20validate%20the%20steps%20and%20mark%20the%20documentation%20in%20some%20way.%26nbsp%3B%26nbsp%3B%26nbsp%3B%20The%20above%20quote%20should%20be%20%22In%20THESE%20cases...%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-113078%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-115640%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20Certificate%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-115640%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20not%20thought%20of%20that%20Mike%2C%20I%20will%20investigate%20that%20route.%26nbsp%3B%20What%20are%20your%20thoughts%20of%20doing%20in%20place%20upgrades%20of%20the%20host%20OS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-113096%22%20slang%3D%22en-US%22%3ERe%3A%20Migrating%20Certificate%20Services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113096%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20not%20sure%20if%20I%20would%20migrate%20as%20the%20Hash%20and%20key%20lenght%20might%20need%20to%20be%20changed%20to%20be%20more%20secure.%26nbsp%3B%20I%20know%20we%20have%20moved%20off%20of%20SHA1%20to%20SHA256%2F512%20and%20our%20root%2C%20Intermediate%2C%20%26amp%3B%20Issuing%20Keys%20are%204096%2C%20then%20our%20client%20keys%20are%202048.%26nbsp%3B%20What%20I%20have%20done%20in%20the%20past%20is%20stand%20up%20the%20new%20environment.%26nbsp%3B%20Create%20new%20Cert%20Templates%20and%20have%20the%20new%20server%20issue%20them.%26nbsp%3B%20Stop%20issuing%20from%20the%20old%20servers%2C%20then%20we%20can%20make%20sure%20all%20the%20new%20certs%20are%20being%20issues%20from%20the%20new%20environment%20and%20then%20mirgate%20what%20we%20can%20to%20the%20new%20servers.%26nbsp%3B%20%26nbsp%3BThat%20is%20my%202%20cents.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am looking into migrating our Certificate Services running on 2008R2 to 2016.  There is no documentation specifically for migrating the role to 2016 here https://docs.microsoft.com/en-us/windows-server/get-started/migrate-roles-and-features .  However it says "In many cases, the steps in the Windows Server 2012 R2 migration guides are still relevant for Windows Server 2016".

 

There is a guide for migrating the role from 2008R2 to 2012R2 here https://technet.microsoft.com/library/dn486797.aspx?f=255&MSPPError=-2147217396 .

 

Has anyone tried doing this to confirm the steps are valid going from 2008 or 2012R2 to 2016 certificate services?  It would be beneficial to IT Pros if Microsoft would validate the steps and mark the documentation in some way.    The above quote should be "In THESE cases..."

2 Replies
Highlighted

I am not sure if I would migrate as the Hash and key lenght might need to be changed to be more secure.  I know we have moved off of SHA1 to SHA256/512 and our root, Intermediate, & Issuing Keys are 4096, then our client keys are 2048.  What I have done in the past is stand up the new environment.  Create new Cert Templates and have the new server issue them.  Stop issuing from the old servers, then we can make sure all the new certs are being issues from the new environment and then mirgate what we can to the new servers.   That is my 2 cents.

Highlighted

I had not thought of that Mike, I will investigate that route.  What are your thoughts of doing in place upgrades of the host OS.