Currently we have an internal CA enterprise cause we have UAG with Direct Access that uses Computer certificates. We need to move this CA ent. role to another server let's say from CA1 to CA2 but we do NOT want to decomission CA1 we need it for other roles. What would be the best or ideal method for this change in our AD in mind of clients that currently have certificates from the old CA1 and UAG that relies on those Computer certificates. 1 setup a brand new CA2 server with a new CA ent ROOT role and new cert and new key, delete templates from CA1, superseded the old Computer template and eventually uninstall CA role on CA1 or 2 backup the old CA1 (key, config, database) , uninstall CA1 CA role, install CA role on CA2 and use the cert/key and config from CA1 Hope someone can give me an advise i simply cannot decomission CA1 so using the migration method to rename new server to CA1 is NOT possible. Thanks in advantage fellow IT'rs

I would go for a new Enterprise Root CA. in parallel to the current one, your option number 1, and only after all CA1's issued certificates have already expired to decomission CA1. you cannot immediatelly uninstall CA1 because it must still periodically sign its CRLs in order to let current certificate clients to validate its certificates. ondrej.

I would go for a new Enterprise Root CA. in parallel to the current one, your option number 1, and only after all CA1's issued certificates have already expired to decomission CA1. you cannot immediatelly uninstall CA1 because it must still periodically sign its CRLs in order to let current certificate clients to validate its certificates. ondrej.