Hello,
i got some questions about a soft pki migration.
in our active directory environment there is a single tier pki installed. One Root CA holding the root certificate and issuing every used certificate in that active directory environment. So our Plan was to setup a new two tier pki with an offline root ca and a subordinate issuing ca and slightly migrate and change the already issued certificates from the old pki to the new pki.
What i already read was that two root CAs are possible in one domain forest and the auto enrollment (f.e. Domain Controller Certificate) can be triggered by the templates of the specific CAs.
So has anybody done that before and can give some advice and tips what can be done or what can't and where problems can occur?
Best regards
Markus Ösch