Convert an Enterprise Root CA to an Offline Root CA RRS feed

  • Question

  • Hello,

    One of our clients has a single enterprise root CA and they now want to implement a CA hierarchy with an offline root CA. Is there a way I can install an offline root CA, a new enterprise sub CA using the same keys as those of the current enterprise root CA, establish trust between the offline root and the new enterprise sub without effecting currently issued certificates?

    If that doesn't work, is there any way I can do that without revoking or invalidating active certificates? Or would the only way be to scrap everything and start from scratch, causing interruption of some services for sometime until the whole work is done and new certificates can be issued?

    Thank you in advance for you answer,


    Tuesday, February 24, 2009 2:19 PM





    Yes, it is possible to migrate from an Enterprise to a Stand-alone CA. Please remember that previously issued certificates may have AIA extensions that point to the issuing CA certificate. These AIA URLs need to continue to be valid. 


    You may also refer to the following articles:


    How to move a certification authority to another server



    Migrating from a Stand-alone to an Enterprise CA


    • Marked as answer by Joson Zhou Tuesday, March 3, 2009 2:19 AM
    Friday, February 27, 2009 9:35 AM

All replies