I have a Microsoft Enterprise CA server running on Server 2012r2 on my domain (AD Certificate Services). The Certification Authority was migrated some years ago from an old Server 2013 box that was decommisioned.
The current CA uses SHA1 and needs moving to SHA256. having researched this, our current Cryptographic Provider is "Microsoft Strong Cryptographic Provider" I understand the process of moving toSHA256 involves backing up the current CA (inc Private key), deleting these keys, moving to SHA256 including restoring root CA certificates as per https://www.petenetlive.com/KB/Article/0001243
I have very limited knowledge of installing and managing CAs but I have fallen at the first hurdle as backing up the current CA will not allow backing up of the Private Key and CA Cert (message "windows cannot backup one or more private keys because the csp does not support key export").
I have seen suggestions in some posts that it would be easier to create a new Enterprise CA and migrate services towards this over a period of time and then decomission the older CA.
Does anyone have a view on this? In particular can AD have multiple CAs in the same domain and presumably each CA would need to be on a different server. Would a newly installed CA by default be based on SHA256? What would be the correct sequence to set up new CA, re-point my hosts etc. My Certificate policy templates are published in "Active Directory enrollment Policy" . Is what I am proposing possible as I would potentially have different certificate templates for each CA?
Thread source link: https://social.technet.microsoft.com/Forums/windowsserver/en-US/b86eddec-0d2c-4445-809e-f8d6ef05dfce/setting-up-an-additional-enterprise-ca-on-my-domain?forum=winserver8setup