Ok, so Finally got my 2 tier PKI setup. I Ran into a snag where my root CA accepted the certuil setting for publishing the CDP and AIA. Even though it said it changed the AIA it did not. I had to do it through the GUI.
Anyway because of this I had to re-issue my Enterprise Sub CA multiple times. Everything is working now except I have multiple Issuing CA in AD and in the Clients local store.
I have not issued any client certs with any of the first 3 CAs. How do I safely remove them? Can I just revoke their certs on the Offline CA, copy the CRL over and then click remove on the above screen shot? Is there something more to it?
also I don't publish the crl to AD, if that matters.
Thanks.