Hello,
Thank you so much for posting here.
Q1: Can we backup CA private key and database, uninstall AD CS role, demote as DC, then turn right around and reinstall AD CS, restore CA from backup key/database with no ill effects?
A1: There will be two options, one is to migrate the CA to a new host and the second is to keep the CA on the original host and move the domain controller. For more information about the steps, we could refer to:
https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN
Q2: Does uninstalling the role automatically revoke certs issues by this CA, or is that untouched, and so none should be the wiser?
A2: No, uninstalling the role will not automatically revoke certs. After the re-installation or migration, we will verify whether everything works fine. Besides, it is suggested doing this during the downtime.
Q3: Before uninstalling AD CS role should we first lengthen the CRL publish time and increase certificate expiry or anything?
A3: Yes, it is recommended to publish a CRL with a long validity period. We could also refer to the provided document about this, which describes the performance in details.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong