We have an existing PKI running on a single server in a single domain. I've been tasked with cleaning up our PKI and expanding it to also work with two other forests we have. I'm looking at setting up a two tier model with an offline root CA and using cross-forest enrollment in Win2k8R2 to have the issuing CA in one of the forests issue certificates to all of our other forests. My main question is, what do I do about the existing PKI? Is it possible to add a new offline root CA into the mix on the existing ifrastructure? I'm concerned that the private key of the existing CA is not secure. If I cannot add an offline root CA to the existing PKI, can I just deploy a new infrastructure, migrate the clients over to the new CA and then decomission the old PKI? Is it possible to have multiple AD certificate authorities running at once?

Your last option is the way to go. You can have to CA hierarchies running at the same time with no problem The trick is the decommissioning. In many cases, some companies will have to wait for the last certificate issued by the old PKI to expire before decommissioning the old PKI. It really depends on the number of certificates. Once you have the new CA hierarchy set up, ensure that the old CA does not have any certificate templates available (to prevent future enrollments from the old PKI. Brian

Thanks Brian, I'll give it a go.