Hi All,
There is a domain joined root ca in example.com domain. All the clients that were part of the example.com were getting certs auto- issued/renewed based on the auto enrollment policy.
There is a2-tier PKI infra in test.com domain withone offline standalone root and enterprise sub ca. Clients that are added to test.com receive certs automatically from the Enterprise sub ca which is in test.com. There is CEP/CES also set up for this enterprise Sub CA.
I want to decomm the domain joined root ca in example.com as its not a good practice to issue certs from root ca directly and also its a 2003 server. So now I want all the clients(computers/users/domain controllers) that are part of example.com to get the certs auto issued/renewed from the Enterprise sub ca that is part of the test.com.
The trust relationship between example.com and test.com is Two-Way non transitive External Trust. Now my question is
- What are the configuration changes that have to be done on theexample.com or/and test.com Active directory so that the clients will receive the certificates from the Enterprise Sub CA that is in test.com domain
- Do I have to make any modifications on the Enterprise Sub CA?
Hope I made the description clear. Please let me know if I missed any detail that would help you to provide a solution.
Regards,
Chaitanya.