Right-click on Revoked Certificates, and then click properties
Uncheck “Publish Delta CRL”
Edit the “CRL publication interval” to 99 years
Open command prompt as administrator
Type the following command
Copy old CA’s certificate (crt) and Certificate Revocation List (CRLs) files to new CDP/AIA Points (optional)
Navigate to %windir%\System32\CertSrv\CertEnroll
Copy the old CA’s crt and CRL files to new CDP/AIA Points
Redirect AIA and CDP points of old CA to the new location
This can be done using an
IIS redirect, or
redirecting the AIA and CRL of the old Certification Authority.
Document all certificate templates and stop certificate publishing on old Issuing CA
Open the command line with elevated privileges
Certutil -catemplates > c:\catemplates.txt
and document all certificate templates published at the old Certification Authority
In total, certificate templates are present.
Launch the Certification Authority console
Navigate to “Certificate Templates”
Highlight all templates in the right pane, right-click and then click “Delete”
The old Certification Authority cannot issue any certificates and has all of its AIA and CRLs redirected to a new CRL Distribution point. The next steps will detail how users can document the certificates templates published on the old issuing CA and how to make them available at the new issuing CA.
Sort Certification Authority Database, identify and document all certificates issued based on certificate templates
Open Certificate Authority Console.
Highlight Issued Certificates.
Move to the right and sort by “Certificate Templates.”
Note: Replace the OID number with the number identified in step 5
Examine the output of c:\CustomTemplateType.txt and document all the certificates needing immediate action (requiring issuance from the new CA infrastructure if needed, such as custom SSL certificates).
Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed
Enable certificate templates needed on the results of steps 7 to 9 on new Issuing CA
Login to new Issuing CA.
Right-click on “Certificate Templates,” click New, and click “Certificate Templates to Issue.”
Choose all certificate templates needed in the “Enable Certificate Templates” windows and click >OK.
With these steps, organizations can migrate to the new issuing CA while decommissioning the old Issuing CA. With Windows 2012 ending in October 2023 organizations need something to help migrate to newer operating systems with minimal impact.
If your organization needs assistance with this migration, feel free to email us at email@example.com, and we will ensure that your migration goes as smoothly as possible.