I have inherited what I am beginning to believe is a poorly designed PKI Infrastructure. I have 1 root CA and 2 Issuing CAs all 2008 R2. My root certificate authority is expiring in about 2 months so I am planning to renew it and the Subordinate CAs soon.
I see that the root CA has issued a lot of certificates and that many templates are available. The root is not offline. (I know not best practice).
I would like to remove these templates from the Root CA and allow the subordinates to do all the issuing. If I do this before I renew the Root CA then all the certs currently issued will expire in 2 months and not be renewed on the Root CA.
My questions are:
- In the scenario above will the certificates originally issued by the Root CA be renewed on the Subordinate CAs?
- Most of these certs seem to be auto enrolled. Will Auto Enrollment know to go to the Subordinate CA from now on?
- Are there any other concerns with taking this action that I should be aware of?
Most of the certificate templates on the Root CA are default templates and I believe are Auto Enrolled. (I haven’t manually issued certs for these templates)
- Basic EFS
- Computer (I know this one is auto enroll)
- Domain Controller