What is the best way to migrate from a 2003 certificate services to a 2012 version? We have run into the issue with not being able to produce a SHA256 template in 2003.  Is there a way to bring a 2012 subordinate into the infrastructure to issue the SHA2 template?

What we were thinking:

1) Bring up a 2012 root CA

2) Bring up the subordinate 2012 CA's

3) Begin issuing from the 2012 infrastructure.  Require the users to replace the 2003 certs on the 2012 infrastructure or let them expire.  Or is there a way to migrate the 2003 certs over to the 2012 infrastructure?  Pointing the 2003 subordinates to the 2012 root?

DC's are 2008 R2

Thanks in advance.  New to the Microsoft CA services and now thrown in to get things working.

Travis,

Here areActive Directory Certificate Services Migration Guide

General Information for you on the CA service.

This should get you moving in the right direction.

Hi,

Or is there a way to migrate the 2003 certs over to the 2012 infrastructure? 

We can migrate existing certificates via certificate services migration.

Active Directory Certificate Services Migration Guide

https://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx

Pointing the 2003 subordinates to the 2012 root?

This is not possible. In addition, hash algorithm should be consistent within one PKI.

Best Regards,