Adding a third tier to a two tier PKI infrastructure
I have recently helped create a two-tier PKI infrastructure using Windows Server 2008 R2 certificate services. I am fairly new to implementing certificate services and wanted to know if the two-tier infrastructure can be scaled up to three-tier and how would that be done? We needed to get the two tier up and running for an immediate need but may need to change it at a later date for additional security reasons. At the moment our infrastructure is very simple with a Standalone Root CA (offline) and an Enterprise Issuing CA. I have followed many of the suggestions found in this online video creating the infrastructure: http://blogs.technet.com/b/dmitrii/archive/2011/01/27/pki_2d00_installation_2d00_made_2d00_easy.aspx.
April 22nd, 2011 11:29am

You can migrate to a two tiered in one of two ways: 1) Create a new offline policy CA below the current root CA, then move the issuing CA below the new policy CA (when you renew the issuing CA, submit the request to the new policy CA) 2) Leave the existing issuing CA as two tier. Create a new policy CA and install a new issuing CA below the new policy CA Both are supported and both work Brian
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2011 12:06pm

Thank you very much. I appreciate the quick answer.
April 22nd, 2011 1:20pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics