I've searched the forums, read the whitepapers, and read Brian Komar's book. But I can't seem to find an answer to this question: In the process of migrating our Certificate Services infrastructure from Windows 2003 to Windows 2008 R2, is it possible to go from a single online Enterprise root CA to a new topology including a Stand-Alone offline root CA and two or more subordinate issuing CA's? If so, where would I restore the CA database and keys from the 2003 Enterprise root CA during the migration, to the offline root or the subordinate issuer? So far, all of the documentation and discussion I can find relates only to migrations to matching topologies. Or, is the only answer here to completely tear down the old PKI and build the new one without any migration of existing certificates? Thanks!

Going from one tier to two-tiered is a more difficult process (for sure). Before providing an answer, did you issue any encryption certs that have their private keys archived in the CA database? It will definitely influence the answer... Brian

Going from one tier to two-tiered is a more difficult process (for sure). Before providing an answer, did you issue any encryption certs that have their private keys archived in the CA database? It will definitely influence the answer... Brian

Hi, Please check the articles below to see if they can be helpful while planning the ADCS migration: Planning the Upgrade or Migration http://technet.microsoft.com/en-us/library/cc742466(v=ws.10).aspx Active Directory Certificate Services Migration Guide http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx Regards Kevin

Hi, Please check the articles below to see if they can be helpful while planning the ADCS migration: Planning the Upgrade or Migration http://technet.microsoft.com/en-us/library/cc742466(v=ws.10).aspx Active Directory Certificate Services Migration Guide http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx Regards Kevin

In the process of migrating our Certificate Services infrastructure from Windows 2003 to Windows 2008 R2, is it possible to go from a single online Enterprise root CA to a new topology including a Stand-Alone offline root CA and two or more subordinate issuing CA's? If so, where would I restore the CA database and keys from the 2003 Enterprise root CA during the migration, to the offline root or the subordinate issuer? So far, all of the documentation and discussion I can find relates only to migrations to matching topologies. I agree with Brian that you need to consider the history of your current CA and how it has been used. So if you must keep the current Enterprise Root CA and continue using it in the new topology then that is going to be your new(migrated) Root CA. Now because the Root CA has been an online Ent CA you can not just turn it into an offline Root. Because the CA has been AD integrated you need to continue publishing the CRLs from this CA to your AD as well as taking care of possible revocation operations of already issued certificates. The a better way to restructure would be to create a new set of CA's according to the new topology and identified needs and keep the old Ent Root CA until all issued certificates has been expired or replaced by new ones from the new topology /Hasain

In the process of migrating our Certificate Services infrastructure from Windows 2003 to Windows 2008 R2, is it possible to go from a single online Enterprise root CA to a new topology including a Stand-Alone offline root CA and two or more subordinate issuing CA's? If so, where would I restore the CA database and keys from the 2003 Enterprise root CA during the migration, to the offline root or the subordinate issuer? So far, all of the documentation and discussion I can find relates only to migrations to matching topologies. I agree with Brian that you need to consider the history of your current CA and how it has been used. So if you must keep the current Enterprise Root CA and continue using it in the new topology then that is going to be your new(migrated) Root CA. Now because the Root CA has been an online Ent CA you can not just turn it into an offline Root. Because the CA has been AD integrated you need to continue publishing the CRLs from this CA to your AD as well as taking care of possible revocation operations of already issued certificates. The a better way to restructure would be to create a new set of CA's according to the new topology and identified needs and keep the old Ent Root CA until all issued certificates has been expired or replaced by new ones from the new topology /Hasain

Forgive me, Brian, I'm not sure how to check this. I do have a number of certificates issued for EFS. I think all indications, and Hasain's advice below, point toward less of a migration and more of a rebuild for our PKI. If that's the case, is it just a matter of building the new PKI and removing all of the templates from the existing server? Then I guess it's either wait for the existing certs to expire or arrange revocation?

Thanks very much, Hasain. I suspect you're right that I'd be better off with a clean new topology and letting the old one die off.

Forgive me, Brian, I'm not sure how to check this. I do have a number of certificates issued for EFS. I think all indications, and Hasain's advice below, point toward less of a migration and more of a rebuild for our PKI. If that's the case, is it just a matter of building the new PKI and removing all of the templates from the existing server? Then I guess it's either wait for the existing certs to expire or arrange revocation?

Thanks very much, Hasain. I suspect you're right that I'd be better off with a clean new topology and letting the old one die off.