Migrate from 1-tier to 2-tier Certificate Services architecture

PKI is too complicated for a 'quick answer' in a guide that applies to your situation exactly.  If you like I can try to help give you some direction.

Are you looking to keep the existing server around as the root of the new PKI, or remove that and start over properly?

Are you planning to upgrade from 2003 to 2008?  Or just have the new one as 2008 for the online subordinate CA?  Standard edition or Enterprise edition?

If you're keeping the existing CA, was it installed as standalone or enterprise?

Was the Active Directory Certificate Services - installation guide (AD CS == 2008)

Are there any unique requirements (such as being cross-certified with another company or organization), or just for internal use?

Approximately how large is your organization?  Under 1000 certs, 1000-10,000, over 10,000?  Don't base this on just your employee base, but rather what you expect to issue certs for (user smartcards, user email signing, user email encryption, user EFS, internal server SSL, workstations, etc.)

Are you more concerned about budget or security?  Since you had a single tier before I would figure budget, but since you're looking to do this right I would figure you have a little bit of funding to make the best solution without getting extreme.


References - most of this is written for 2008, but most of it will apply to 2003 as well:

How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Active Directory Certificate Services - installation guide (AD CS == 2008)
http://technet.microsoft.com/en-us/library/cc772393.aspx
 
AD CS upgrade & migration guide:
http://technet.microsoft.com/en-us/library/cc742515.aspx
 
General Technet stuff on 2008 CA:
http://technet.microsoft.com/en-us/library/cc726345.aspx

 

Yes you're right, I should be more specific.

I have a single certificate server handing our certs so that our users can log into our VPN, there are 11 VPN users and I don't expect them to increase to more than 20 over the next few years.  I issue my VPN users a smartcard with a logon certificate, and they use that to access our VPN.

This application sits on its own DMZ, has its own windows 2003 active directory domain, and the 11 users are on this domain.

While these users are small in number the application they are using is critical to the business, and the bosses want redundancy all over.  So I thought the best way to do this was to move to a two tier architecture.  I don't want to call the smart cards back in because these users are spread over the country and it would be just too disruptive.

So basically I'm looking to switch to a two tier architecture purely to increase redundancy, not for security or performance reasons.

So to your questions:
1. Are you looking to keep the existing server around as the root of the new PKI, or remove that and start over properly?

I'm not really sure, but I know I want the already issued keys and smartcards to continue to be valid.

2. Are you planning to upgrade from 2003 to 2008?  Or just have the new one as 2008 for the online subordinate CA?  Standard edition or Enterprise edition?

No plans to change to 2008, but if you think that there's something worthwhile there and you can guide me to some talking points to take to my boss, I'd be very grateful. Standard edition.

3. Was the Active Directory Certificate Services - installation guide (AD CS == 2008)

I'm afraid I don't understand the question

4. Are there any unique requirements (such as being cross-certified with another company or organization), or just for internal use?

Internal use only.

This sounds all very sensible, and you are right, the issue is really about DR rather than redundancy.  The virtualised environment seems to be the way to go.

My original question is still relevant though, how do we move to two tier while still keeping the validity of previously issued certs?  Are there any guides out for that?