I have went through many standalone to two tier discussions/forums, but found nothing conclusive on this topic.
I have inherited a online two tier architecture, and would like to implement some best practice work:
first step is to place the root CA offline. Based on what I have read I can do that by backing up current enterprise online root CA.
Then to install new root standalone CA on virtual box (switching to virtual) and use the onlines public key and same hostname to install the standalone. Make sure CRLs are placed on reachable network drive and so on...
The issuing CA will be the same. Nothing will change...other than adding additional later on.
Did I get this correct? Or will I have to reissue the root CA and have it be trusted on all firewalls/load ballancer, ect and reissue? Also we are pushing to two factor authentication with AD and cert based and I need to make sure I have my back-end ready.
If i go early ahead and implement user cert templates with current architecture, can I take root offline later and everything still will be in tact?