Our CA is one of our Server 2008 Domain Controllers, and it was set up by a previous IT team. (Translation: I don't have much experience yet with CAs.) We would like to separate the Certificate Authority function from the Domain Controller function, and we would like to use Server 2012 for our CA. I see in http://social.technet.microsoft.com/forums/en-us/winservergen/thread/A900BE58-D53E-4149-A111-D10A57C7FF4D that, back in 2010 anyway, "Having multiple root CA is not recommend in a single forest but you can install it with out any problem." That makes me think that we can bring up a new Server 2012 system as a new CA. Then, once we're comfortable with it, we can decommission the Server 2008 CA. With two CAs, however, I don't understand how to determine which one responds to certificate requests. The current CA hasn't generated many certs because we don't use autoenrollment (yet), but we have recently learned how to manually request a cert. When we do that, however, there's no opportunity to select a specific CA. In the link referenced above, Justin_s notes that they "revoked the ca's ablity to re-issue." At this point in my development, I don't actually know how to do that.
Is it OK to create a second CA? And, if we do, how do we control which CA responds to certificate requests?