Our CA is one of our Server 2008 Domain Controllers, and it was set up by a previous IT team. (Translation: I don't have much experience yet with CAs.) We would like to separate the Certificate Authority function from the Domain Controller function, and we would like to use Server 2012 for our CA. I see in http://social.technet.microsoft.com/forums/en-us/winservergen/thread/A900BE58-D53E-4149-A111-D10A57C7FF4D that, back in 2010 anyway, "Having multiple root CA is not recommend in a single forest but you can install it with out any problem." That makes me think that we can bring up a new Server 2012 system as a new CA. Then, once we're comfortable with it, we can decommission the Server 2008 CA. With two CAs, however, I don't understand how to determine which one responds to certificate requests. The current CA hasn't generated many certs because we don't use autoenrollment (yet), but we have recently learned how to manually request a cert. When we do that, however, there's no opportunity to select a specific CA. In the link referenced above, Justin_s notes that they "revoked the ca's ablity to re-issue." At this point in my development, I don't actually know how to do that. Is it OK to create a second CA? And, if we do, how do we control which CA responds to certificate requests?

> With two CAs, however, I don't understand how to determine which one responds to certificate requests. you just remove all templates from old CA (in the Certification Authority MMC snap-in, select Certificate Templates folder and remove all of them) and assign them to a new CA. In this case, old CA will not respond to any request.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

> With two CAs, however, I don't understand how to determine which one responds to certificate requests. you just remove all templates from old CA (in the Certification Authority MMC snap-in, select Certificate Templates folder and remove all of them) and assign them to a new CA. In this case, old CA will not respond to any request.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Thanks, Vadims ... that's very helpful.

Yes. Vadims answer is correct and concise. FYI: There is also a blog post from our guru in customer support services (CSS) Jonathan Stephens that discusses doing something similar. He addresses the question of having two root CAs http://aka.ms/PKI1to2tier. He also discusses a lot of details.

That's an excellent blog post. Thanks for the link, Kurt.