Certificate Services - Root CA

[Jay Patel]

Can anyone tell me if they know of issues running two root
CA's. Basically I have a root ca set up on a DC. The DC is
unstable and is going to be re-built. I wanted to set up
another root ca and re-issue new certs. Does anyon know of
any problems running two root ca's?

Thanks

 

[Laudon Williams [MSFT]]

There should be no issues.

 

[Jay]

Can you point me to any documentation on setting up two
Root CA's?

 

[Peter Schlephendorfer]

We run 2 enterprise subordinate CA's in our AD for issuing
Domain Controller certs (to support smart card logon).
Typically, we get one up and running, and it issues all
the DC certs before the second one comes up -- and the
second CA really doesn't do much, but they get along just
fine.

The only issue you're likely to run into is this: When
the CRLs from the current CA expire, the certs it issued
will become unverifiable (essentially useless). But it's
an easy fix: Once the new CA is up, visit each DC and
request a new cert. Once the DCs have certs from a
running CA which is timely issuing CRLs, you'll be back in
business.

Peter Schlephendorfer
P.S. Consulting