Our organization has an internal domain with a PKI consisting of a single 2003 Server Enterprise Certificate Authority. About six months ago, I renewed our root certificate (512 key length) to 2048 key length and new key pair. Next, I want to update the root certificates in our DMZ domain. Servers in our DMZ domain have the same root certificate as the said internal domain root certificate with the 512 key that I renewed six months ago. The reason for this is that once upon a time, servers built for our DMZ often ended up being added to our internal domain as part of the build process before being added to our DMZ domain (which has no PKI/CA and no communication with the domain where the CA resides). I would like upgrade the root certificates on the servers in our DMZ, but I'm unsure as to the best approach:
1. Where should I export the certificate from (Certificate Export Wizard on the CA or any member server that is not part of the PKI, or through AD somehow)?
2. If Certificate Export Wizard, which format (DER encoded..., Base-64..., Cryptographic Message Syntax...) and can I use the same single certificate file I've created via the export on multiple servers for which it applies?
Note that what I'm looking at doing here is temporary until a more permanent solution (eg. a PKI in the DMZ) is investigated. Our DMZ has a mixture of Windows 2003 x32 and Windows 2008 R2 servers. Any advice/recommendations would be welcomed and appreciated.
Thanks,
Chad