We currently are running a single-tier PKI hierarchy where the Enterprise Root CA is also issuing certificates and has all CA roles enabled as well as certificate templates. This environment is running on Windows Server 2003 R2 Enterprise x86.
We are looking to upgrade our PKI to Windows Server 2012 R2 and thought that this would be a good time to include tiering in this environment. So, my question is, can an Enterprise Root CA be converted to an intermediate CA and if so, how do we go about
doing this? Part of the problem is that we have some non-Windows systems that only trust the current name of our root CA and thus, we will need to reuse this name in the future configuration. Also, we want to minimize disruption to operations as
much as possible. Some certificates are automatically renewed while others are manually renewed through the Web Enrollment service.
↧