PKI structure changes

[C. Brice]

We've currently got a 1-tier PKI setup with an enterprise-root CA. I'd like
to move to a 3-tier - offline standalone root, offline standalone policy, and
an enterprise issuing. I can't find any docs to explain how to get there.

Do I need to tear down the existing to bring up the new one, or can they
exist side by side?

C. Brice

 

[Brian Komar]

I would say the best way is to deploy the new, only keep the enterprise root
CA around for revocation and publication of CRLs.
WHen its last certificate expires, wrip it out <G>
Brian

"C. Brice" <CBrice@discussions.microsoft.com> wrote in message
news:93FE7F51-729E-46A6-AFDC-B5FB83D15641@microsoft.com...
> We've currently got a 1-tier PKI setup with an enterprise-root CA. I'd
> like
> to move to a 3-tier - offline standalone root, offline standalone policy,
> and
> an enterprise issuing. I can't find any docs to explain how to get there.
>
> Do I need to tear down the existing to bring up the new one, or can they
> exist side by side?
>
> C. Brice

 

[djpaynesr]

I agree with Brian. They shouldn't interfere with each other operationally as
they will both be trusted by the domain. When the new PKI infrastructure is
up and running and the certificates have been distributed the old PKI
infrastructure can be removed. As long as the objects (users, computers,
etc.) have a trusted certificate associated with them or in their local
certificate store, communication won't be affected.

However, I would definitely try this out in a lab environment before
deployment to ensure that I am completely familiar with the depolyment, error
correction and recovery and proof of concept. The lab doesn't have to be
anything fancy, a few servers, workstations and users would work. It can even
be done in a virtual environment if resources are limited.