Question : Certificate Authority 2003, 2008 Enterprise Root CA

Currentky running a server 2003 forest with a root and one child domain.  We currently have a stand alone Enterprise Root CA in the child domain that runs on a Server 2003 PDC Emulator.  We use it to issue user certs for two tier SSL VPN authentication.  I inherited this design and realize it is flawed in several ways.

 I would like to implement  two tier Offline Root/Online issuing CA Server 2008 R2 PKI infrastructure. The current root CA cert expires in 2011.  I need the new Certificate Services solution ASAP.    I do not want the Enterprise Root CA to run on a Domain Controller, I want it to be offline.  The Domain Controller which is the current enterprise root CA is required for LDAP authentication and needs to remain a domain controller.  

Can I:
1) Bring a server 2008 Enterprise Root CA online in the same domain as the existing
2) While keeping the existing CA in place temporarily for legacy applciations and then
3) Phase out the old CA as users start to get their user certs from the new CA.

Thanks for your suggestions.

Answer : Certificate Authority 2003, 2008 Enterprise Root CA

You can, but usually when talking about redundancy you do it at the subordinate level and just issue the same templates to both online CAs - they will flip-flop for issuance and if one is not available the other will be, even if renewing an autoenrollment cert from that was originally issued from the other CA.

The offline root is there for security reasons, not for high availability.  It is easy enough to do a windows backup with system state to properly recover the root if need be, or if you install it in a VM to just backup the image to an external hard drive that you keep locked up/offsited.

When creating backups you should backup the private key of the CA and keep it super-secured locked up somewhere.  In a disaster situation you can then restore the failed CA's private key onto the production CA and use the certutil -sign command to re-sign the CRLs, etc. while you are recovering the CA.  This is also why it is a good idea to issue your CRLs via script (certutil -crl) via script at the half-life of the CRL to allow for overlap so you have time to recover from issues.  More info here:

http://www.pki101.com/BackupCA.html