Hi,I have Standalone Root CA. I want to renew it's key but I want to use different CSP. Is ir possible at all? because when I try to renew the CA's key - the same CSP is used everytime and I have no choice to select different one. I want such a change because I want to place my CA's private keys on the HSM which uses different CSP.Thanks.

Hi, Thank you for your post. We cannot change the CSP when we renew CA certificate. To migrate CAs private key to an HSM, you can refer to Brains suggestions in the following thread: CA cert renewal and change CSP http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/bd7bf42e-b630-488b-ade5-5af5c7544759/ Hope it helps.

As I can see this is not possible :( so sad. Then another question. My PKI hierarchy consists of this offline root ca and online subordinate enterprise windows 2003 ca. Can you give any recommendations and stepsabout migration to exact the same CAs hierachy which use HSMin my domain? Is it possible to have two PKI hierachies in the same single domain?

Hi, Based on my understanding, you can temporarily have two PKI hierarchies in the same forest. As Brain mentioned, please remove all certificate templates from the old CAs for issuance, and only maintain CRLs. When all the certificates issued from the old CAs expire, we can then retire the old CA hierarchy.

Hi, Just want to check if the suggestion has helped. Please feel free to let me know if there is anything further I can assist you with. Have a nice day.

Let me get it straight. I have single forest, single domain.So if I'll install additional PKI hierarchy to the same domain - standalone offline root ca and enterprise subordinate ca - will everything be ok with my domain? I do not want something to break in there because of additional PKI hierarchy installation. I'll remove all templates from my old ca before doing any new installations.And if it is safe to install additional pki hierarchy to the same domain - can you give any steps and recommendations about old CA desomissioning from my domain? Thanks.

Hi, Thank you for your response. Yes, you can temporarily have two PKI hierarchies in the same forest. I also performed a deep research and found that some HSM vendors have such a tool for transferring an existing private key from a Root CA. Therefore, you can contact the HSM vendor to confirm if there is any better solution. If you are sure that the new CA hierarchy is working properly and the certificates issued by the old CA hierarchy are not longer used or have expired, you may decommission the old CA from the domain. To do so, you can refer to the following KB article: How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000 http://support.microsoft.com/kb/889250 Thanks.

Hi Rimvydas,Have you tried to ask you HSM vendor? I know that Safenet has a tool that can change the CPS for a MS PKI server if you want to implement af HSM after the initial PKI implamentation.Best Regards,Benjamin

Ive changed the CSP from MS to Utimaco HSM CSP using instructions/tools from Utimaco.Br, Danieldanielu@avanade

Bendji, yes, I've tried to ask vendor, but they were unable to help with CSP change. They said that there is only one option - CA reinstall with existing key.Daniel, can you elaborate on this in more detail? Because we have Utimaco HSMs too:)