Hi all, we have a 2 tier PKI hierarchy with a standalone Root CA (in a workgroup) and a subordinate Enterprise Issuing CA (in domain1.one). The Root CA has AIA and CDP locations set to HTTP, file and LDAP in Domain1 currently.
We are now looking to stand up a new Sub CA in a different domain (domain2.two), however as it stands the Root CA certificate that we would normally publish to AD in domain2 would contain the AIA and CDP locations set to domain1 due to the DSConfigDN registry key being set to Domain1.one on the Root. I'm testing this in my lab at the moment and can confirm that in PKIVIEW in domain2 the Root CA errors out for the AIA and CDP locations (as the URL being listed is located in Domain1)
Is there any way (and is it safe) to change the DSConfigDN registry key and have it apply to the existing Root CA certificate before I publish it to domain2.two? Then I could modify DSConfigDN to domain2.two and get it working correctly?
thanks