Hi There,

I have an AD integrated enterprise Certificate Authority running on Server 2012 R2 with a single off-line root CA and a single subordinate CA. I want to add a couple of new CRL Distribution Points to my PKI infrastructure for redundancy. I'm very comfortable with the procedure on how to do this but I'm a little sketchy as to what happens after I update. I want all the certificates I have already issued to pick up the new CDPs and as far as I can see the only way to do this is force a "Reenroll All Certificate Holders" from the certificate template.

Is this the only way to do this?

Also, after doing this procedure on the CA template are all the currently issued certificates still valid up until the reenrollment or are they immediately revoked?

Cheers
C