Server 2012R2 Domain Controller + Certificate Authority Migrate & Demote

So I inherited a very messed up environment and I am down to my last 2012 R2 Server. If it were only a Domain controller, I would not be so hesitant. But it also has Certification Authority running on it. From what I can tell this is needed for our Citrix VDI environment. If I shut it down for a few hours, anyone logging into Citrix will be prompted to enter their credentials after logging into Citrix Workspace. Also I have 300+ users in these systems around the clock, so I have to tread lightly. How difficult would it be to move the CA service from "Comp-DC-01" (2012R2) to "Comp-CA-01" (2019) and then I can demote this last 2012 machine? I am pretty sure that our FAS server is the only thing using the CA service, and it is only for Citrix at this point. I am looking to minimize any disruptions to our end users.