Hi I was wondering if it's possible to have 2 Enterprise Certificate Authorities setup on the one domain. I have already implemented an enterpriseroot CA, using a microsoft script, to issue server certificates for our IAS servers. It was a very simple special purpose CA that formed part of a Microsoft solution for securing wireless Lans with PEAP. This works and I don't really want to touch it. However we now need to implement a more general purpose PKI solution - could we simply install another enterprise root CAin our domain? We have a single forest with single domain. Thanks for any help Martin

I have run into a number of clients that have done this accidently, so I would say that it can be done. However, having said that, I would say that you should expand the functionality of the original CA to include this new set of techincal requirements or create a master PKI and then roll in the old functionality into the new infrastructure. Managing two sets of CRLs and two CAs is going to be an increasing administrative difficulty. Also, you should have an offline root for each of these CAs - managing multiple offline CA roots is also going to be an increasing cost. I would work very hard in the short term to save yourself all kinds of difficulty in the long term.