Hi Guys, I have a customer who has a Windows Server 2003 Certificate Authority. There is a root server and one issuing server. Both run Windows Server 2003 Standard Edition I want to put in a more secure and scalable PKI Infrastructure. They want to primarily use the CA for Computer Certificates for a wireless network. Looking on their system today, they also have EFS, Domain Controller, IPSEC and Web Certs (Lync and Exchange). My planned implementation is to have Windows Server 2008 R2 Datacenter (as they are licensed for it) implemented in the following fashion: RootCA (Standalone, 10 Years, 2048 key, Offline) Issuing01 (Enterprise, 5 Years, 1024 Key, Online, CRL) - For User Certs Issuing02 (Enterprise, 5 Years, 1024 Key, Online, CRL) - For Computer Certs How would I go about going from the Windows Server 2003 Hierarchy to the new hierarchy? I assume I would backup and restore somehow but my current Root CA is Enterprise and Online. I want the new Root CA to be standalone and offline. Also I assume I would need to keep the server names the same? Any help would be appreciated!

It seems like you want to replace an existing PKI with a new PKI in the same domain. if so, you might find these two articles of assistance: http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx I think you can safely go for a root certificate validity period of 20 years and an issuing certificate validity period of 10 years or more, but it depends on the policies for the PKI. The key length for the issuing CAs could also probably be 2048, again unless there are specific policy reasons why a 2048 bit key length cannot be used. Steve G

Thanks for that I was going to go with the below procedure: What do you think? Backup current Windows Server 2003 PKI Infrastructure.Analyse current Windows Server 2003 PKI Infrastructure and document current certificate uses. (Include a list of Certificates that can be revoked)Install 3 x Windows Server 2008 R2 SP1 Datacentre Edition onto existing Virtual Infrastructure with all Operating System patchesConfigure new Root CA Server with Active Directory Certificate Services in Standalone modeConfigure new Root CA with a Certificate Key length of 4096 and validity of 20 yearsExport Trusted Root Certificate for Enterprise Servers and Clients to useImport Trusted Root Certificate onto new Issuing Certificate ServersConfigure 2 x new Issuing Certificate Servers in Enterprise ModeConfigure new Issuing CAs with a Certificate Key length of 2048 and validity of 10 yearsDisable AutoEnrollment on Issuing CAsCreate new AIA and CDP Distribution points for new PKI.Remove Certificate Templates from Windows Server 2003Stop and Disable Certificate Services on Root and Issuing CA Servers in the existing Windows Server 2003 environment.Enable AutoEnrollment on Windows Server 2008 Issuing CAsRe-enrol certificate holders for templates (This will reissue automatically enrolled certificates) Manually update existing certificates that were manually requested (eg Exchange, Lync and OCS)Configure Certificate Revocation Lists on Issuing Servers

Would that work guys? :-)

If you follow the instructions in the second article, you should be fine. However, I would recommend gaining some experience with the process by running through it in a lab. I see you have specified a 4096 bit key length for the root CA. Make sure that everything you plan to issue a certificate to can handle a 4096 bit key. There are some instances of older equipment, a Cisco VPN 3000 for example, that cannot handle a 4096 bit key length. Steve G