Hi, I did post a related question at http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/dfe1f541-e3b2-42b5-bd3b-7a7d0f7a7e66 but I guess as it mentions HSMs its not getting much response so Ive asked a more generic question here: We have lost the ability to export our private key for the root CA (for now it can still be used for signing but see other post if more info needed) so we will need to have a completely new root CA and the old one removed. My question is what implications will this have on the subordinate issuing CAs and all the certificates it has issued if we have to replace the root? I guess we will still keep the old root CA cert as a trusted root but what about root CA CRL publishing etc, will that be required for the certificated issued by the subordinate CAs?Thanks for any help

Hi,I am afraid that you cannot remove the old root CA if you want to keep using the subordinate issuing CAs. Each certificate in the certificate chain is checked for revocation status. If you remove the old root CA, issuing CA certificate and the certificate issued by the issuing CAmay become invalidbecause no latest CRL available.For more information, you can refer to:Certificate Revocation and Status Checkinghttp://technet.microsoft.com/en-us/library/bb457027.aspxThis posting is provided "AS IS" with no warranties, and confers no rights.