1) create new server certificate with CA, and move everything including CA. (is it possible to move CA without cert.id?)

2) install new server in new domain and set up new CA."

1.) I don't think you can move CA to another server without the cert.id. When you migrate certifier to CA, you would be asked to which server should CA run, if you create a new server, this new server won't have the CA process running on it

2.)  If you will do a totally new (different) server, then you would have to register or certify your existing users to this new server (with a new domain).

 I can give you a third alternative:
There is a way to recover a cert.id when you have CA setup.
(You must be a CAA in order to do this)
Steps to recover Cert.id from ICL database:
1.) Open ICL database
2.)Open the document called "IDStorage"
3.) An id file should be stored in that document, usually will have a name of  ~tmp.id
4.)Save it to your computer(password on this id would be different, do the next steps to get the password)
5.) Go back to the document, right click then access document properties
6.)On the fields tab(second tab from left), look for the password field. that would be the password for the certifier.

Then after you recover the cert.id you can proceed with creating a new server.id, install and setup the new server, move your users to this new server, then migrate the certifier (cert.id) to the ca process to be run on this newly setup server.


Hope this helps