Hi! The infrastructure goes like this: 1 ROOT CA - offline, non MS. let's call him ROOTCA 2 first-level subordinate CAs - one offline (policy subordinate, let's call it POLICYCA) and the other one online (SUBCA) with published "Secure email" and "Digital signing" templates published and used by the users for encrypting and digital signing emails. both Windows 2003, MS Certificate Services 1 second-level subordinate CA - online (issuing subordinate - ISSUECA) with published templates for web servers, VPN etc. etc.... - Windows 2003, MS Certificate Services I would like to transfer "Secure email" and "Digital signing" features from SUBCA to ISSUECA and decommission that SUBCA. What will happen to messages signed and encrypted with certificates issued with that decommissioned CA (SUBCA)? They are all using ROOTCA as their root CA :) Organization is Exchange 2007 with one Exchange 2003 which is due to be uninstalled as we speak. A left over from transition which was over half a year ago...

It depends on how you decommission SubCA: 1) Keep it running to publish CRLs and to be available for key recover, but not publish certificates = Still will work, and you can recover archived encryption keys 2) Quit issuing certificates and turn it off - The signing certificates will fail validity checks if the client enables CRL checking (cannot determine revocation status). All archived keys are gone, as you decommissionsed the CA. You can do a variation on 2 where: - You replace all issued signing and encryption certificates with new certificates issued by ISSUECA - You recover all encrypted encryption certificates from SUBCA to PFX files - You enable foreign key import on ISSUECA - You import the PFX files into ISSUECA This will allow you to decommision the SUBCA, still recover all encrypted encryption certificates, and allow CRL checking for all new emails. Remember that CRL checking is performed during: - The verification of a signature (at any time) - Encryption of an email at transmission time It is not performed when you decrypt a message. Brian