Is it Possible to Have Two Root Certificates in My Domain?

0
2
Asked By TechGuru42 On

I'm currently working with an old Certificate Authority that uses SHA1, and I'm considering setting up a second enterprise CA with a new root certificate that utilizes SHA256. I'm curious if there are any potential issues or complications involved in doing this, or if I'm just overthinking it.

3 Answers

Answered By AdminWizard On

Absolutely fine to have two root certs! But when you set up the new enterprise CA, it's usually better to create the new root first before migrating any existing services or systems to it. This makes the process less complicated. Just be sure to log where your old root CA is being used as a trusted source, since you'll want to migrate that trust to your new root CA.

UserExpert77 -

Good point! Treating the new PKI like a fresh install helps keep things organized and minimizes potential headaches down the road.

Answered By NetMaster On

I've done this multiple times, and it's pretty straightforward! Once you're ready to start issuing new certificates, you just need to change the group policies so the new certificates are deployed from the new CA. One thing to keep in mind is to update everything that references the old CA, especially if you have network policies that rely on 802.1X.

Answered By CodeNinja99 On

Yes, you can definitely have two root certificates in your domain! It's actually a good plan to migrate to a new CA with a stronger security standard. I recommend making the transition slowly and carefully. When you're ready to switch from the old CA to the new one, consider cross-signing the roots to facilitate a smoother cutover. Just ensure that your environment can support the new certificate requirements, especially with standards like WPA3-192.

SecureVault24 -

That's a solid approach! Also, if you're worried about security, having hardware security modules like YubiHSM2s can keep your root keys safe and ensure they aren't exposed in plaintext.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.