Hello All
Can someone please help me with the following question :)
I asked the question, can you have two Enterprise Root CA in the same AD domain. This question was kindly answered by Paul here the answer was Yes.
As far as I believe the two important aspects from a client point of view (e.g. IE on Windows 7 PC for example) are
1: Public key of the CA (e.g. the CA cert published in AD and therefore downloaded to the X509 store on your PC)
2: CRL (published via LDAP (in Configuration partition of AD), HTTP/S or File Share)
I believe as long as you have access to the above two you can turn the CA off if you want.
I believe the location of the CRL is detailed in the CDP which is detailed on the Certs issued but a given CA, so the client can look in the Cert and see what it states about the CDP and thereby get the list of revoked certs.
If all of the above is correct?
when I add a second Root CA to the same Domain, do I need to use a CA setup file (e.g. the text file, I believe with a .inf extension) to tell the CA setup routine to place its CDP at a location other than the default location in case it overwrites the existing CRL at the default location. Basically I do not want to overwrite (delete) the current CRL when installing another Root CA or does the fully qualified X500 name of the CDP include the CA Name (and therefore be unique) and it will not over write the original?
Thanks All
AAnotherUser__
AAnotherUser__