Dual PKI
Tomorrow night, I will be starting the process that I have been dreading..building a PKI in parallel to an existing one and after all certificates are issues from the new sub CAs, I will decommission the two old sub CAs and the root CA.
Here is the plan:
Build an offline root CA and do not join to the domain (modify capolicy.inf)
Install certificate services on root CA
Install certificate services on 2008 r2 member server and import certificate from root CA (do i need to create a custom template or will the subordinate certification authority work?)
Install certificate services on second 2008 r2 member server and import certificates from root CA
Turn off root CA
Create templates for issuing CAs.
Begin issuing certificates from new Sub CAs
Decommission the CAs from old PKI environment with the following instructions
http://support.microsoft.com/kb/889250
Our organization is small and i can probably touch every computer if need be...
But will the above process work?
Please advise
June 16th, 2011 1:58am
Your plan should work just fine..
Do not forget to add the new root ca certificate as a trusted root in your AD (using GPO or certutil)
/Hasain
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2011 4:56am