Migration Guide: Microsoft ADCS to Sectigo Certificate Manager

Avatar photoByAdil

Absolutely, Thiyagarajan. Below is a complete, step-by-step migration guide in plain text for moving from Microsoft ADCS to Sectigo Certificate Manager. You can copy this into a Word document and format it as needed. Every step is explicitly detailed — including clicks, commands, and validation — so anyone following this guide can execute the migration without missing a single action.

📘 Migration Guide: Microsoft ADCS to Sectigo Certificate Manager

Author: Thiyagarajan

Date: 11-Nov-2025

Purpose: Migrate from Microsoft Active Directory Certificate Services (ADCS) to Sectigo Certificate Manager (SCM) for modern, automated certificate lifecycle management.

🧭 Table of Contents

  1. Project Overview
  2. Pre-Migration Assessment
  3. Sectigo Platform Setup
  4. Sectigo Connector Deployment
  5. Template Mapping
  6. Enrollment Policy Configuration
  7. Certificate Migration
  8. Validation & Monitoring
  9. Rollback Plan
  10. Appendices

1️⃣ Project Overview

  • Goal: Replace legacy ADCS with Sectigo’s cloud-native PKI platform
  • Scope: Includes user, device, server, and service certificates
  • Benefits: Automation, visibility, compliance, and reduced operational overhead

2️⃣ Pre-Migration Assessment

Step 1: Inventory ADCS Components

  • Log in to your ADCS server
  • Open Certification Authority console
  • Document:
    • CA hierarchy (Root, Subordinate, Issuing)
    • Certificate templates
    • Validity periods
    • Enrollment methods

Step 2: Export Template List

  • Open PowerShell as Administrator
  • Run: 
  certutil -catemplates > C:ADCS_Templates.txt

Step 3: Identify Certificate Usage

  • Review:
    • IIS bindings
    • VPN authentication
    • Wi-Fi 802.1x
    • RDP and smartcard logons

Step 4: Backup ADCS

  • Open Server Manager
  • Go to Tools > Certification Authority
  • Right-click the CA > All Tasks > Back Up CA
  • Include:
    • Private key
    • CA database
    • Configuration

3️⃣ Sectigo Platform Setup

Step 1: Create Sectigo Tenant

  • Go to Sectigo Portal
  • Click Sign Up or Request Demo
  • Complete onboarding form
  • Receive admin credentials via email

Step 2: Configure Roles

  • Log in to Sectigo Certificate Manager
  • Go to Settings > Roles
  • Create:
    • Admin
    • Approver
    • Auditor

Step 3: Enable Integrations

  • Navigate to Integrations > Directory Services
  • Enable:
    • Active Directory
    • Azure AD (if hybrid)
    • SCEP/ACME (for devices)

4️⃣ Sectigo Connector Deployment

Step 1: Download Connector

  • Log in to Sectigo
  • Go to Downloads > AD Connector
  • Download the installer

Step 2: Install Connector

  • Run installer on a domain-joined Windows Server
  • Accept license agreement
  • Choose installation path
  • Click Install

Step 3: Register Connector

  • After install, open Sectigo AD Connector

  • Enter:

    • Sectigo API credentials
    • Domain name
    • OU scope

  • Click Register

  • Wait for sync confirmation

5️⃣ Template Mapping

Step 1: Review ADCS Templates

  • Open C:ADCS_Templates.txt
  • Note:
    • Template name
    • Key usage
    • Subject name format
    • Validity period

Step 2: Create Equivalent Templates in Sectigo

  • Go to Templates > Create New

  • Match:

    • Key length (e.g., 2048-bit RSA)
    • Usage (e.g., Client Auth, Server Auth)
    • SAN format (e.g., DNS, UPN)

  • Click Save

Step 3: Assign Templates to Groups

  • Go to Directory Sync > Groups
  • Assign templates to:
    • Users
    • Computers
    • Service accounts

6️⃣ Enrollment Policy Configuration

Step 1: Configure Autoenrollment via GPO

  • Open Group Policy Management
  • Create or edit GPO

  • Navigate to:

    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies

  • Enable:

    • Certificate Services Client – Auto-Enrollment
    • Set to Enabled and Renew expired certificates

  • Link GPO to target OU

  • Run:

  gpupdate /force

Step 2: Configure Mobile & Device Enrollment

  • Go to Sectigo > Enrollment Policies
  • Enable:
    • SCEP for routers/switches
    • ACME for Linux servers
    • Intune integration for mobile devices

7️⃣ Certificate Migration

Step 1: Issue New Certificates from Sectigo

  • Go to Certificates > Issue
  • Select template
  • Choose target user/device
  • Click Issue

Step 2: Update Bindings

  • For IIS:

    • Open IIS Manager
    • Go to Sites > Bindings
    • Edit HTTPS binding
    • Select new Sectigo certificate

  • For VPN/Wi-Fi:

    • Update NPS or RADIUS server certificate

Step 3: Revoke Legacy Certificates

  • Open ADCS Console
  • Go to Issued Certificates
  • Right-click > Revoke

8️⃣ Validation & Monitoring

Step 1: Validate Certificate Installation

  • On client machine, run: 
  certutil -store my
  • Confirm Sectigo-issued certificate is present

Step 2: Validate GPO Application

  • Run: 
  gpresult /h C:gpresult.html
  • Open HTML and confirm autoenrollment applied

Step 3: Monitor Sectigo Dashboard

  • Go to Dashboard > Certificate Lifecycle
  • Check:
    • Expiring certificates
    • Failed enrollments
    • Audit logs

9️⃣ Rollback Plan

Step 1: Retain ADCS in Standby

  • Do not uninstall ADCS for 30–60 days
  • Keep CRL publishing active

Step 2: Export Sectigo Certificates

  • Go to Certificates > Export
  • Save as .pfx with password

Step 3: Rebind Legacy Certificates (if needed)

  • Open IIS or NPS
  • Re-select ADCS-issued certificate

Step 4: Notify Stakeholders

  • Send rollback notice with reason and timeline

🔚 Appendices

  • Sectigo API Reference
  • PowerShell scripts for template export
  • GPO autoenrollment examples
  • Sectigo connector troubleshooting guide
  • Contact info for Sectigo support

Would you like help turning this into a formatted Word document with headers, footers, and a cover page? I can also help you build a companion runbook or validation checklist.

Similar Posts