Hi My client would like to renew their Root CA, so which means their issuing CA should also be renewed. Currently it is two tier hierarchy and the end user certificates are being issued randomly in a ad-hoc manner. The root is offline Windows 2003 CA, 2048 bit key length and lived for 10 years. The issuing CA is enterprise windows 2003 CA, 1024 bit key length, lived for 8 years. Here is my plan: - Retain the current offline Root CA (valid for 2 more years) and Issuing CA (valid one more year). - Install new offline Root CA (2048 bit, 15 years validity) and Issuing CA (2048 bit, 10 year validity) on a new server. I would love to configure 4096 bit for the root but we have some systems who does not have the capability to consume such large keys. - Configure the certificate templates, DO NOT assign the templates for the issuing CA as of yet. - Publish the new Root CA & Issuing CA using GP for domain members and manually for non-domain members. Just to give enough time for all the clients to have the new CAs installed in their trust store. - Around Jun'12, remove certificate templates from current CAs (issues 6 months end user certificates) but retain CRL generation capability. - Assign the certificate templates to the new Issuing CAs to handle all renewal and new certificate requests from that point of time. This way all systems trust the new CAs when they receive renewed & new certificates. The current would live generating CRLs for the current certificates until all of them expire. For all the geeks around there in this forum, my question to you is - "Is my plan technically feasible?". If not please point my mistakes. More better if you could let me know any better approach. Also, from knowledge point of you, can multiple enterprise issuing CAs each signed by different Root CAs be concurrently operational in one domain? Thanks in advance. Sanurajan

Thanks Weber.