Recently we found out that we needed to change the cryptographic HASH algorithm on our CA's to SHA256. Unfortunately our offline Root CA (rootca01) was corrupt and therefore the PKI chain is broken. We have spun up a new Root CA (rootca02) and are wondering whether we can point the intermediate ca (subca01) at rootca2 without breaking the certs currently issued somehow?
What is the best practice for this scenario? Server 2012.