I had an old internal enterprise CA1 that issued computer certificates and some domain controller certificates. Now i installed a brand new enterprise CA2 with new key etc. I removed all certificate templates from CA1 and added them to CA2 Now i see clients getting new Computer certificates from CA2 but Domain Controllers are not trying to get new certificates. Am i or is my domain in danger when i turn off CA1 ? What are the best steps i can do now, i cannot use Reenroll All Certificate Holders cause its the Computer template

It looks like that DC certificates are still valid. Once they become invalid, DCs should reeneroll certificates from a new CA.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

ok but DC certificates are still valid for 1 year :) and we dont want to keep that CA1 role and server on that long :) can i safely turn off CA1 and will DC then enroll for certificate from CA2?

I would recommend to explicitly delete existing certificates from DCs and run 'certutil -pulse' on them to immediately reenroll certificates.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I would recommend to explicitly delete existing certificates from DCs and run 'certutil -pulse' on them to immediately reenroll certificates.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

i have 2 dc and dont the following i kept the old certificate and looked which certificates (from certificate template) from old CA were issued i then manually enrolled for the same types of certificates (from certificate template issued from old CA) so when i look in computer cert store i see now issued to -issued by -intended purposes - certificate template server01 - CA1 - client authentication, server authentication - computer server01 - CA2 - client authentication, server authentication - computer server01 - CA1 - directory service email replication - directory email replication server01 - CA2 - directory service email replication - directory email replication server01 - CA1 - client authentication, server authentication, smart card logon - domain controller authentication server01 - CA1 - client authentication, server authentication, smart card logon - domain controller authentication So i can now safely delete the certs issued by CA1?

someone can help me out if i can safely delete the certs issued by the old ca? thanks in advantage

really no one that can help me out, or point me in a direction , if i can safely delete those certs issued by the old CA on the domain controllers?

please, read my last post.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki