Assuming you have an existing Enterprise Root CA installed on DC and you want to split it in an Offline Enterprise Root CA hierarchy
Target Hierarchy: Offline Root CA -> Issuing CA
1. Back up the CA on the Enterprise Root CA (check http://support.microsoft.com/kb/298138/en-us for what all to backup)
2. Configure the Standalone Root CA on a different server and configured the CAPolicy.Inf at c:windows (Check http://technet2.microsoft.com/WindowsServer/en/library/25127c1f-4880-4764-85e8-226ce41588881033.mspx)
2. Configure the Standalone Root CA on a different server and configured the CAPolicy.Inf at c:windows (Check http://technet2.microsoft.com/WindowsServer/en/library/25127c1f-4880-4764-85e8-226ce41588881033.mspx)
3. Copy the backup files you created in step 1 to the new offline Root CA computer. Note: this new offline Root CA should be part of workgroup
4. Then Install the Standalone Root CA with the Existing Public Key and restore the backed up CA database and Certificates on the Root CA
5. Configure the CRL extensions on the Root CA
6. Uninstall the Enterprise CA from Domain Controller
4. Then Install the Standalone Root CA with the Existing Public Key and restore the backed up CA database and Certificates on the Root CA
5. Configure the CRL extensions on the Root CA
6. Uninstall the Enterprise CA from Domain Controller
7. Configure the Offline Root CA using the script at http://technet2.microsoft.com/windowsserver/en/library/62a656d6-8023-4142-bb39-a10a0f7b14681033.mspx?mfr=true
8. Install another Issuing CA as an Enterprise Subordinate CA. Note: This server will be a part of your domain
9. Import the Root certificates for the RootCA to the Issuing CA
8. Install another Issuing CA as an Enterprise Subordinate CA. Note: This server will be a part of your domain
9. Import the Root certificates for the RootCA to the Issuing CA
10. Generate a certificate request from the Issuing CA. Copy the .req file on your offline Root CA and Issue that certificate using the Certificate Authority MMC
11. Export the certificate generated from the Root CA to Issuing CA
11. Export the certificate generated from the Root CA to Issuing CA
12. Publish the CRLs and CRTs in the Active Directory. Check http://technet2.microsoft.com/windowsserver/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true to know the steps
13. From the client machine renew the certificates using “renew with same key” or you may also use Auto-enrollment from group policy
14. The Certification path on client machines should change to RootCA -> SUBCA -> ”Certificate”
15. Also now the issuer shows as SUBCA for the certificate, before this it was showing ROOTCA (enterprise CA installed before)
13. From the client machine renew the certificates using “renew with same key” or you may also use Auto-enrollment from group policy
14. The Certification path on client machines should change to RootCA -> SUBCA -> ”Certificate”
15. Also now the issuer shows as SUBCA for the certificate, before this it was showing ROOTCA (enterprise CA installed before)
Cheers !!!
Inderjeet 