![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 37%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Hello Muzzamiluddin, I am Henry and I want to share my insight about your issue
The error message: "The imported certificate does not match the chosen CA type and will not be used. However, the imported key can still be used." means what it says:
- The Certificate Mismatch: The certificate you are importing (from your old CA backup) was issued for a specific type of Certification Authority (e.g., an "Enterprise Root CA"). During the setup on the new server, you have selected a different CA type (e.g., a "Standalone Root CA"). The wizard is flagging this inconsistency.
- The Key is Usable: The good news is that the private key part of your backup file (.pfx or .p12) is valid and has been successfully imported into the computer's certificate store. The wizard could potentially use this key to generate a new certificate, but that is not what you want for a migration.
The most common cause is selecting the wrong CA Type during the AD CS Configuration wizard on the new server. The new CA's configuration must exactly match the old CA's configuration.
The primary settings that must match are:
- CA Type: Enterprise vs. Standalone
- CA Role: Root CA vs. Subordinate CA
You need to cancel the current installation and restart the configuration process with the correct settings.
Step 1: Find the Original CA Type - If you are unsure of the original CA's configuration, you can check it on the old server (if it's still available):
- On the old CA server, open the Certification Authority console (certsrv.msc).
- Right-click on your CA name in the left pane and select Properties.
- On the General tab, look at the top. It will clearly state if it is an "Enterprise Root CA", "Enterprise Subordinate CA", "Standalone Root CA", or "Standalone Subordinate CA". Note this down.
Step 2: Re-run the Configuration on the New Server
- Click OK on the error message.
- In the main AD CS Configuration wizard window, click Cancel to exit the setup.
- It's best practice to uninstall the AD CS role from the new server via Server Manager, reboot the server, and then reinstall the role. This ensures a clean slate.
- After reinstalling the role, launch the Post-deployment Configuration for AD CS again.
- On the Setup Type screen, carefully select the CA Type that exactly matches the one you noted down from your old server.
- On the Private Key screen, select "Use existing private key" and then "Select a certificate and use its associated private key".
- Click the "Import..." button and select your .pfx backup file again.
If the CA Type now matches the certificate you are importing, the error will not appear, and the migration can proceed successfully.