hello,
i inherited a two tier PKI. One standalone root-CA-Server and one AD-CA-Server. Both Server are running W2K3
Unfortunately the root-CA was created with CRL settings, so it is not possible to leave the root-CA for security reasons offline. And there are many webserver-certicates in use, which are created directly from the root-CA and some from the AD-CA
Now i want to upgrade the CA environment to W2K8R2 servers. When i export/import the certificate settings i still have the problem with the CRL of the root-CA and both servers have to stay online.
My idea is to set up a new two tier PKI (offline-root-CA without CRL and new AD-CA) let both PKI's running parallel for some months and replace all certificates created from the old root-CA with certificates from the new AD-CA
Is this possible? Which problems may arise? The Active Directory can handleboth AD certificatesat the same time?
Thanks in advance and kind regadrs Boris