In our current setup we have an enterprise root ca online that does the issuing of certificates to end entities. It is running on windows 2008R2. It currently supports sha-1 algorithm.
We are planning to build a new pki two tier hierarchy composed of a standalone root ca (offline) and two issuing CAs(online). The first issuing CA is sha-2 while the other issuing CA is sha-1(for legacy apps).
Question:
Is this a practical setup that supports newer and legacy apps?
Can the old pki infra work side by side with the newly built pki heirarchy while slowly migrating to the new one?
How to determine which CA to select when enrolling for a certificate?
How do you recover a compromised isuing CA?
Do we manually reissue the certfificates of current app?