I have a Windows Server 2003 R2 Certificate Services hierarchy which is headed up with an Offline Root CA which has an Enterprise Issuing CA underneath. Changes in requirements mean that the Offline Root is no longer required so I need some advice on how to decommission this from the environment so that I'm just left with a single Enterprise CA doing everything. Does anyone know the required steps to accomplish this? I've read through the articles below but I was concerned that they both refer to Enterprise CAs, whereas my Root CA is a Stand-Alone Offline Root CA (i.e. not integrated with AD) and I wasn't sure if the process would differ because of this? http://support.microsoft.com/kb/889250 http://support.microsoft.com/kb/555151 I was hoping that the process would be much easier given that it wasn't an Enterprise CA but really I'm just after a way of getting it done that won't stop all my certs from functioning!Jonathan Conway | MCSE MCP MCTS VCP

I would not advice to do this. Root CA maintenance don't takes too much time, so I don't see any advantages if you remove offline Root CA to Online Root CA (and standalone to enterprise). On the other hand this is not trivial migration.http://en-us.sysadmins.lv

Unfortunately for me the server is going to be decommissioned - I don't really want to replace the CA, I just want to remove it from the environment. The problem I have is that the certs that it has issued (such as the subordinate issuing CA underneath it) will probably stop working as the CRL etc. will be unavailable once the server is decommissioned. I guess what I want to do is make my Subordinate CA the new Root CA in the environment - trying to get the best/easiest way to do this.Jonathan Conway | MCSE MCP MCTS VCP

it is not possible to convert Subordinate CA to Root CA. You will have to rebuild your PKI from scratch. The only way is to convert from Standalone Root to Enterprise Root (move your Root CA from workgroup to domain member server). http://en-us.sysadmins.lv

OK - to work around this issue is it possible to add a new CDP for the Root server and then somehow have this added to the subordinate CAs? The reason I need to do this is that when my predecessor built the Root CA he left the default CDPs and did not add any others - this causes a problem as the Root CA was designed to be taken offline. If we do this currently, none of the Issuing CAs underneath the Root are able to retrieve the CRL from the CDP as they are only published locally for the Root CA to check it's own certs. If I can add a CDP to the Root and then have that added to the certs issued by it beneath then I will be able to achieve my goal of taking the Root CA offline. If I did this and then re-issued the subordinate CAs certificates, would this then include the new CDPs? Presumably if this worked then I would also need to reissue all the computer certificates that the Issuing/Subordinate CA's have distributed to my clients...Jonathan Conway | MCSE MCP MCTS VCP

> If I did this and then re-issued the subordinate CAs certificates, would this then include the new CDPs? no. This is because only SubCA certificate has knowledge about Root CDP/AIA URLs (not certificates were issued by SubCA). Therefore if you change something on Root CA you will have to reissue all certificates to SubCAs. Now SubCAs will chain up to correct Root certificate. However leaf certificates will still chain up to previous root. Therefore you will have to reissue all client certificates as well. http://en-us.sysadmins.lv

So it looks like I need to do the following: 1. Add CDP/AIA to Offline Root CA 2. Renew Subordinate Enterprise CA Certificate 3. Renew all certificates issued by the Subordinate Enterprise CA As far as I can tell this should then give me what I require - all issued certificates will be able to use the new CDP and AIA to check CRL etc. as they will now have this new location as part of their certificates.Jonathan Conway | MCSE MCP MCTS VCP

yes, this is correct.http://en-us.sysadmins.lv

Many thanks for your help Vadims - much appreciated.Jonathan Conway | MCSE MCP MCTS VCP