Hi Our existing CA is currently setup as a root CA on a server 2008 standard machine. We've decided to start looking into trialing smart cards within the business but in order to do this with the smart cards we've ordered we need an enterprise CA to do so as we need to create some custom certificates to use with the smart cards. Is it possible to setup an enterprise CA (root or subordinate) to be able to generate our required certificates. The current CA is configured on our primary DC and as as result do not want to change/update it if at all possible. we have additional servers running 2008 enterprise which we could install a CA onto, however its just double checking whether we configure it as root or subordinate. Thanks!

Yes, you can set up an additional root CA if needed. Or this new CA can be a subordinate. You may want to read up on CA design and implementation before you begin. Before deploying a CA you should thoroughly review the business requirements and design appropriately. Since you are looking into smart cards, the design and security considerations are even more important. I would start with this MS article: http://technet.microsoft.com/en-us/library/cc700804.aspx Visit: anITKB.com, an IT Knowledge Base.

I've got the guide here on how the smart cards are required to be setup http://www.gemalto.com/dwnld/6405_DotNET_CertEnrol_CS_Server08_AN.pdf and I've read through the info provided above and i'm still unsure how to proceed. If I setup a new subordiante CA (or enterprise root CA) will that effect our current root CA? I just need something to be able to issue the required certificates to configure smart cards currently.

would it be possible (although not recommended and going against all design principles for PKI) to setup and additional root CA for issuing these certificates? it appears that I definately need a root ca for these to work and with not being able to touch our current root ca (installed on our primary DC) I can't see any other options for this.

I can't think of any reason at the moment that should prevent you from setting up another root CA, specifically for this purpose. Of course, I would always recommend that you test out all configs in a test lab prior to moving into your production network. Visit: anITKB.com, an IT Knowledge Base.

Hi, Thanks for the post. Althougth multiple root CA is not recommend in a single forest, we can install it without any problem. As JM mentioned, we need to set up a test lab to check it. Thanks, MilesPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.