Dear Experts,
Currently we have Root CA in our Domain Controller, I'm looking for the possibility to create a new PKI where we can leave the root CA untouched but let the clients start using our new CA with SHA-256, is it possible?
Set up new PKI in existing domain without touching SHA-1 root CA, possible?
start using our new CA with SHA-256, is it possible?
yes, it is possible.
Hello EavenHuang,
Yes, this is possible, and you can establish a 2-Tier or 1-Tier CA servers for the PKI infrastructure. You can follow the next documents for either kind of deployment:
For one-tier PKI:
You can have two one-tier CA servers (two different online Enterprise root CA servers) in one AD domain.
ADCS Step by Step guide Single Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx
For two-tier PKI:
You can have one two-tier PKI in one AD domain.
Two-tier PKI with one offline Standalone root CA server and one online Enterprise subordinate CA server.
AD CS Step by Step guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
Or two-tier PKI with one online Enterprise root CA server and one online Enterprise subordinate CA server.
--If the reply is helpful, please Upvote and Accept as answer--
4 people are following this question.
