Hello,
I need some advice to know if the following is achievable? We already have an existing PKI infrastructure - an Enterprise Root CA was created on a 2003 DC approximately 4 years ago. Recently we have started the migration to 2008r2 AD - as the existing Root CA is due to expire in 12 months and the hardware should also be decommissioned it seems like a good time to move to a new Enterprise Root CA on a 2008r2 server.
My question is; can both these Enterprise Root CA's be run side by side? We have a single domain / forest - nothing complicated. Would I be correct in assuming when the new 2008 Enterprise Root CA comes on line its Root CA cert would be automatically published / installed to domain joined computers along side the existing 2003 Trusted Root CA cert?
With both Enterprise Root CA's operational we could then start to migrate or issue new certs from the new CA and slowly decommission the old CA over a number of months?
One additional question - is there something written to the AD configuration somewhere that indicates to clients which is the primary Enterprise Root CA to use when requesting new certificates?
Regards
Mark