PKI Migration from 2008 R2 to 2022

Question

We have an internal PKI Infrastructure that is a combination of CA/OCSP and SEP implemented via NDES (Windows Server 2008 R2). The CA has certificates for 50k plus remote IoT hubs and devices, using which it works. The devices in question are not part of the domain, and nor have the capability to fetch new certificates automatically (manual intervention is needed). We are in the process of migrating the server from 2008 R2 to 2022. In the process, my team is telling me that they are also changing the domain names as well (internal politics).

Example:

1. Migrate CA Database from 2008 R2 to 2022 - this has been successful. They have been able to successfully backup and restore.
2. Will domain name change impact this? Will OCSP continue to function without any special configs like cross-forest certificate enrollment?

Migration of DB is completed. Wanted to verify if the validation is not an issue with a new name.

Answer 1

You may use the procedures as a reference at the link:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/move-certification-authority-to-another-server

Since Active Directory Domain Name will be changed the new CAs will be member of the new AD domain. Key points will be:

• The CA that will be installed in the new AD Forest/Domain should have the same keys, CA name and type
• CA Templates should be migrated as well
• NDES Registration Authority name should be the same so that devices should not be reconfigured.
• If NDES service account is defined, it should be redefined in the new domain with existing rights on current CA and Certificate Templates.
• If there is LDAP CRL points that devices look for, you may have to keep original AD domain, and on the new domain CA, you should add an LDAP CRL publishing point targeting at the old LDAP URL.
• You may have to change OCSP URI Locations in the new domain to keep the orginal names.