Microsoft
MicrosoftAnthonyBartolothanks, but the requested was Offline Standard Root CA and Online Enterprise Issuing (subordinate) CA. I was able to complete my task using your other post(s) and piecemealed with a few other blogs to work out enough of the process. The new article I am sure will help a bunch of others though that have purely Online Enterprise Root CA environments. Others with the recommended Offline Root CA and Online Subordinate CA are likely still hoping for a full run-down of the process. Steps were pretty much the same, but having to throw in transferring of signing requests between offline/online CAs, updating the CRLs from Offline Root to Online LDAP and HTTP CDP locations, and in my case I resigned a new request for the Online to have all the new server names in the certificates and AIA/CDP file names/paths. I can't detail it all out, but I am sure others would appreciate it if you were able to! Oh and I did not need to reissue certificate templates. They were still there and active when all was said and done...
EddPrI reissued my Root CA with the same key (not a new one), which I think keeps the peace with the old certificates. I then used that to reissue my enterprise online CA cert, and then was sure to load all of those updated files to the AIA and CDP locations for LDAP/HTTP. I did not remove any of the files from my HTTP location so older CRT files are still there for old server names, etc. Has been done for a few weeks and no issues thus far.
