Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:
1- There is a new valid Certification Authority configured
2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData
1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.
2- Identify the AIA and CDP distribution points
Note: Ignore the LDAP and C:\%windir% locations
3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)
4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData
5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points of the old Certification Authority to http://crl.contoso.com/certdata
6- Document and remove all certificate templates available on the old Certification Authority to prevent it from issuing new certificates
At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.
7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database
8- Dump the certificates based on the default certificate template types:
Note: Replace Template with the correct template name.
9- Dump the certificates based on the custom certificate template types:
Note: Replace OIDNumber with the number identified in step 9.e
Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.
10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority
11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority
12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting http://crl.contoso.com
Amer F. Kamal
Senior Premier Field Engineer