Multiple PKI's in a single domain / PKI Migration Issues
Hello All. I'm currently in an environment where previously, a 2003 PKI infrastructure was installed on one of the DC's to provide services for Microsoft Config Manager. This was a very basic install even with the default naming scheme of RootCA. My issue is this, I now want to setup a 2008 PKI Design following the best practice white papers with the two tier design in a vmware environment. First off, are there potential issues with running this infrastructure in the same domain as the RootCA site? Both would be providing services, the old one for Config Manager only and the new one for everything else. Secondly, I'm really looking for some type of road map, guide, helpful hints, on eventually migrating the Config Manager to the new one. Keeping in mind all of the clients have the old certificate installed and presumely the new one as well. Thank you Raun
March 31st, 2010 6:06pm

It is possible to run multiple PKIs within a single AD forest without any issues. The migration is certainly complex question so I would advice to contact consulting services. Just advice from me: the easiest way for you is to lock-down your old CA (remove all issuing certificate templates from CA and just maintain CRLs). And configure your ConfigMgr templates on new CA. Note that new Root must be configured as trusted root on all ConfigMgr clients. When last issued from old CA certificate is expired, you can decomission old CA and old root. http://support.microsoft.com/kb/889250http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
March 31st, 2010 6:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics