I'd be interested in the forum's comments about the following:I was discussing the implementation of a new CA in a new forest with a customer who currently has a two-tier CA (offline root with Enterprise policy/issuing CA) in a single domain forest that will be decommissioned later this year. The suggestion was put forward that we could simply re-use the existing root CA for the new CA hierarchy, effectively adding a new policy/issuing CA to the existing CA infrastructure. I can sort of see the merits of this, but it just feels 'wrong'!Can anyone offer an opinion on this approach?Steve G

Here are the questions that I would ask:1) Has the name of the company changed2) Has the certificate policies that they operate under for assurance levels changed3) Has the CPS that they manage the CAs changed?If there are no major changes, why not re-use the CA. I can see nothing wrong with it unless it was poorly managed or not managed as per the CPS.Brian

Brian,Thanks for the response.No names have been changed, so it's OK on that front.Neither the certificate policies nor the CPS have changed...there weren't any in the first place ;-)Sounds like my best approach would be to validate the existing root CA, encourage the development of some policies and establish some guidelines around management of the CA infrastructure.Steve G