Hello,My organization currently has an existing PKI environment that needs to be updated/migrated to new windows hardware/software as well as new HSMs. Unfortunately the admin cards for the existing HSM's do not work, which prevents us from upgrading the existing PKI environment. From what I have read, a loss of HSM admin cards typically would mean completely rebuilding the environment. In hopes of avoiding this, and the revocation of hundreds of certs at once, I was wanting to see if it is posible to run two PKI environments in parallel at the same time. My plan would be to keep the existing environment running, while implementing a new environment (new hardware/software/hsms). I would issue all certs from the new environment, and maintain the existing until all certs are revoked or expired. Has anyone heard of or attempted this type of scenario, and if so would Active Directory be able to recognize two environments at once?Any info would be appreciated. Thanks, Patrick

This is definitely the best way to go.Just ensure that no future certificates are issued from the legacy PKIYour only risk is the failure of an HSM, since you cannot load the security world into a replacement HSM without a quorum of ACS cardsMay I recommend that your next build use the following formula for calculating the number of ACS cards - n >= 3*k +1For example, if you want to use 2 cards as the quorum, you want to have at least 7 cards in the total ACS card set.You can then take two of the cards, and send them offsite (with PINs in temporary envelopes) so that you can recover the ACS at a later date if PINs are forgotten, etc.Also, review your PIN policy and management of the ACS, since the current policies obviously did not workBrian