Forum Discussion

StefanoC66's avatar
StefanoC66
Iron Contributor
Jun 09, 2025

Multiple CA on same domain

We're about to deploy a new two-tier Windows PKI in domain which already has a 1-tier Enterprise CA and wonder of possible impacts on the current configurations.

Devices and Users are auto-enrolling with the current CA through GPO and what can be the impact of the new CA ? How will the users get the certificate from the old or the new CA selectively? Is it just managed by the template's security settings, which by default allow authenticated users/devices to enroll?

 

What sort of impact can we expect ?

thanks

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Feb 06, 2026

    Deploying a new two-tier PKI (offline Root CA + issuing CA) in a domain that already has a one-tier Enterprise CA is fully supported, but behavior depends entirely on how templates and enrollment are configured.

    There is no automatic “switch” of enrollment from the old CA to the new CA. Auto-enrollment is driven by certificate templates and template permissions.

    Here’s how it works in practice:

    Auto-enrollment logic

    When a user or device performs auto-enrollment, the client:

    • Queries AD for available certificate templates
    • Checks which templates it has permission to enroll in
    • Contacts an Enterprise CA that has that template published

    If both CAs publish the same template and permissions allow enrollment, clients may enroll against either CA. That can lead to unexpected certificate issuance.

    Key control mechanisms

    Enrollment behavior is controlled by:

    1. Template security permissions
      If Authenticated Users (or Domain Computers) have Enroll permission on both templates on both CAs, enrollment is possible on either.
    2. Template publication on the CA
      Even if a template exists in AD, it will only issue from CAs where the template is explicitly published.
    3. Template duplication
      Best practice in migration scenarios is:
    • Duplicate templates for the new CA
    • Publish new templates only on the new issuing CA
    • Remove old templates from the legacy CA

    This gives you deterministic control.

    What impact can you expect?

    1. Duplicate certificates
      If both CAs issue the same template, clients may end up with certificates from both CAs.
    2. Trust chain changes
      With a two-tier PKI, the certificate chain now includes:
      Offline Root → Issuing CA → End-entity certificate

    Make sure:

    • The new root certificate is trusted in AD
    • The CRL distribution points are reachable
    • AIA and CDP are correctly configured
    1. Auto-enrollment refresh behavior
      Existing certificates will not automatically “move” to the new CA. Certificates are renewed based on template settings and renewal thresholds.

    If you want a controlled migration:

    Recommended approach

    1. Deploy the new two-tier PKI fully
    2. Publish new templates only on the new issuing CA
    3. Remove enrollment permissions from old templates
    4. Force auto-enrollment refresh via GPO or certutil
    5. Gradually decommission the old CA once certificate lifetimes expire

    Important question

    Are you replacing the current CA or running both in parallel long-term?

    If replacing, you must plan for:

    • Certificate lifetime overlap
    • Revocation strategy
    • CRL/AIA continuity
    • Template migration

    If running both in parallel without strict template control, you risk nondeterministic enrollment.

    In summary:

    Auto-enrollment is governed by template permissions and publication on specific CAs. Without careful template and publication control, clients may enroll from either CA.