Oh wow :) What are you using certificates for? That's got to be your first question. If you just issue a handful of authentication certs and you don't care if your Root CA is every compromised, then just setup another one. As long as it's an Enterprise CA (Microsoft's term for AD integrated), then the CA's signing cert will be added to all domain joined members as a trusted root CA. You need to use Windows Server Enterprise Edition if you want to edit certificate templates.
If you are somewhat worried about the impact of revoking and reissuing your root CA's cert in the event of compromise, I strongly suggest you get the MS Press PKI book (http://www.amazon.com/Windows-Server-Certificate-Security-PRO-Other/dp/0735625166/) by Brian Komar. You will gain a good insight into how PKI is supposed to work, and a better idea of reference architecture (e.g. having a root CA and a separate issuing CA, and why). Then you can make an informed decision on where you want to compromise on that reference architecture (e.g. it's not worth dividing these two roles). Cheers Ken From: N Parr [mailto:[email protected]] Sent: Friday, 25 February 2011 7:28 AM To: NT System Admin Issues Subject: Multiple Root CA's in same domain? The reason I ask is I'm migrating my Radius for Cisco Wireless Authentication from 03 to NPS on 08R2. My existing Root CA is on my Exchange 03 server which is next on my list to get migrated to exchange 2010 and go away. Existing Radius server is using existing Exchange server as CA. Can I just set up a new Root CA on my 08R2 server that will be running NPS? If so should it be Enterprise or Standalone, new private key, etc? Right now when I create the new wireless policy in NPS it wants to grab a cert from my old exchange box. If I can set up a new Root CA will NPS automatically use the new local CA? Thanks Niles ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
