I got thrown into the middle of a CA migration project. My co-workers are migrating a Root Certificate Authority off a 2008 R2 server and onto a new 2019 server. They have both servers running at the same time with Active Directory Certificate Services running on both. They began manually recreating website certificates we host and putting them on the new CA. Reading many sites and blog posts this is not the correct way to migrate a root CA, but to export the CA database and reg key to the new server and only have one root CA in the domain at one time.
Current setup:
- Auto Enrollment is enabled
- We have no subordinate CAs
- All PCs on the domain accept the new Root CA server and old one as a Trusted Root.
My questions are:
1) How do we issue new certificates from ONLY the new Root CA to all clients through auto enrollment without having a lapse in security?
2) I presume we would need to revoke all certs from the old CA before turning it off?
3) Any articles I can follow on the method we are using?
Thank you.
