I'm looking for advice on managing root certificates in an Active Directory (AD) environment. Right now, we have one AD Certificate Services (AD-CS) server with a single root certificate and no intermediate certificate. This setup currently handles web certificates for internal sites and provides LDAPS and HTTPS configurations for our services. I've been advised against renewing the existing root cert and instead to create a new root on a separate server, one that is offline, along with an intermediate CA on an online server. I'm hoping to smoothly transition to these new certificates without causing interruptions. Here are my specific concerns: 1) Is it safe to have two root certificates and two AD-CS in the same domain? 2) Will creating new root and intermediate certificates affect our existing web certificates or services reliant on the current root certificate? 3) Should I expect any complications with our current certificates during this transition? Thanks for any insights!
1 Answer
In a domain, having multiple root CAs or AD-integrated CAs generally shouldn't cause any issues. Just be careful with the certificate templates; make sure you specify the correct intermediate server when enrolling. It’s worth checking out some guidelines on what happens in AD when you install a new CA to avoid surprises later!
Thanks a lot for your insight!