I have an internal root CA server that runs on Windows 2003, standalone, not connected to the network to issue SHA-1 certificates. Is it possible for me to have another internal root CA server running on Windows 2012 R2, standalone, not connected to the network to issue SHA-2 certificates?
This is so I can generate SHA-1 for legacy applications using existing CA and generate SHA-2 using new CA for the application those are currently using SHA-1 but can support SHA-2.
What is the best practice for achieve this? Will both root CA servers run on different names or same name. Can someone please advise me the step by step to achieve this? I want to migrate to SHA-2 but at the same time I don't want to affect my existing root CA.
Also, How will I renew the certificates of the existing applications using the new Windows 2012 R2 CA so they can use SHA-2?