Hello, I have an MS enterprise root CA that is about to expire. I have alot of VPN clients with certificates on this CA. Is it possible to run a parrallel MS enterprise root CA on another server on the domain and steadily migrate my clients over before the expiration date. Would this cause any issues I'm not aware of ?

Thanks in advance

Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Yes, it is possible.  If you were thinking of changing your PKI now would be the time to do it.  If you weren't, it is not necessary to set up a new root - you can renew the root certificate within the CA console or using certutil -renewcert and the old certs will still be valid.  You will have two CRLs to publish for a brief time during the overlap period, the new one will have a (1) at the end of the filename before the .crl extension.  

Remember to update your AIA location(s) with the new CA cert.  Also remember to make a fresh backup of your CA database, the new private key, and the first new CRL to store off-server (e.g. floppy or flash drive) locked up for emergency recovery.

Also note that all of the certs that were issued will all expire on or before the same time as the root.

If any of the certs were issued to your DC, you will need to reboot the DC for the new cert to go into use instead of the cached copy.

When you are ready to remove the old root:
How to decom a CA server properly from AD:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.