Too late in the long process of creating an offline Standalone RootCA, the internal (to our network) Online Enterprise Issuing CAs and the External Online Standalone (ie, not a member of our domain) CA, I realized an error in our RootCAs CAPolicy.inf file. I should have created two Policies with different OIDs - one for the internal Issuing CAs, and one for the external Issuing CA. I have one. The two Issuing CAs will have different policies due to their very different role in the organization.
I have already done a -dspublish on the Root CA into our AD DS.
I have not yet done a -dspublish on the subordinate Internal Enterprise Issuing CAs nor on the External Issuing CAs if that makes a difference.
I have installed the internal Enterprise Issuing CAs, but they have not yet issued any certificates. These internal CAs will only be used for domain related certs (domain controller KDC, workstation certs etc etc) and "internal" usage, and will never issue a cert that will matter outside our domain. They are already domain members and their certs have already been signed by the RootCA.
I have also installed the external Issuing CA, which is not a member of the domain (and wont be), and have had the RootCA sign its certificate. The External CA has not yet issued any certificates.
I would like to go back and edit the CAPolicy.inf file on the standalone rootca to allow two policies OIDs. I assume that means re-generating the RootCA's certificate. Is that a "renewal"? or a "new cert"? What are the implications on the Internal Issuing CAs and the external CA? If I create a new Cert for the RootCA, can I somehow "get rid of" the currently existing cert already in my DS? Is that "bad"? :-)
When you reissue a cert with the same keypair (ie, not generating a new key pair), what happens to the "old version" of the Cert? Is it now revoked? What happens to subordinate CAs that were signed with the previous version of the certs? Do they need to be renewed & signed by the new cert also?
All the CAs are running Server 2012.
Id really like not to reinstall/recreate everything from scratch again if possible.
Thank you for any insight/help/guidance.