First some background:
- OS: Server 2008 R2 STD
- I have one Enterprise Root CA on SERVER1 (brand new, standalone server, no issues)
- I also have one subordinate CA on SERVER2
- SERVER2 is also a DC
I would like to completely remove the CA role from SERVER2 and maintain it's status as a Domain Controller only. This would leave me with just one Enterprise Root CA on SERVER1.
I'm in the process of reading through the following articles and trying this in a test environment:
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx
http://support.microsoft.com/kb/889250
Does anyone have any experience with this? My main concern is: what happens to the certificates that were issued from SERVER2? Any input is appreciated.