Tomorrow night, I will be starting the process that I have been dreading..building a PKI in parallel to an existing one and after all certificates are issues from the new sub CAs, I will decommission the two old sub CAs and the root CA. Here is the plan: Build an offline root CA and do not join to the domain (modify capolicy.inf) Install certificate services on root CA Install certificate services on 2008 r2 member server and import certificate from root CA (do i need to create a custom template or will the subordinate certification authority work?) Install certificate services on second 2008 r2 member server and import certificates from root CA Turn off root CA Create templates for issuing CAs. Begin issuing certificates from new Sub CAs Decommission the CAs from old PKI environment with the following instructions http://support.microsoft.com/kb/889250 Our organization is small and i can probably touch every computer if need be... But will the above process work? Please advise

Your plan should work just fine.. Do not forget to add the new root ca certificate as a trusted root in your AD (using GPO or certutil) /Hasain