Hello, I am planning a PKI architecture but I have little exprience with PKI. I would like to have a 2-tier Windows 2012 PKI Infrastructure (offline Root and online issuing CA) and I want to install a second Enterprise issuing CA running Windows 2008 R2. The root CA I want to install it in a Windows Server 2012 Enterprise edition member server non DC standalone CA wich I will put offline, the issuing CA will Windows 2012 Enterprice edition member server Enterprise CA online. The AIA and CDP locations will be published in AD. Certificates are issued for internal use for webserver https, exchange communications and primarely for SCCM 2007 in native mode. The AD schema is currently at 2008 R2 (47) but the AD functional level is still 2003. I want to know if adding a second windows 2008 R2 sub EnterpriseCA is a supported configuration? Thanks in advance. Hava a great day!

You can have as many SubCAs as you want.

Thank you LutzMH for your response.... But my question is not regarding the number of subCAs, is about wether the subCAs have to be Windows 2012 same as the root or not. Can they be 2008R2 or other?. I know they will have less features available but it is possible to have subCA on windows 2008R2? Or besides the features is there some other reason why they have to be the same version than the Root CA? Thanxs. Alexis Lamonja

as Hasain stated you can mix versions, no prob

Thank you!Alexis Lamonja