Share via

How to convert subordinate Issuing CA to Enterprise CA?

Franz Schenk 386 Reputation points
2025-12-09T10:17:39.7266667+00:00

Have a two tier PKI infrastructure with a (non-domain joined) Enterprise PKI and a domain joined, AD integrated issuing PKI.

Certificates are used only for internal purposes. A single domain joined enterprise PKI would be sufficient and would eliminate the administrative tasks to periodically start the Offline Root CA and copy their CRLs to the issuing CA.

Is there any "migration path" to convert the issuing subordinate CA into an AD integrated Enterprise CA in a way, that all the issued client certificates (used for Intune and AOVPN) are still valid and trusted after the migration? And that the CRLs of the "old" Offline Enterprise CA are no longer required?

Thank you in advance for any help.

Franz

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

Answer accepted by question author

  1. Harry Phan 19,165 Reputation points Independent Advisor
    2025-12-09T10:44:49.9233333+00:00

    Hello Franz Schenk

    In your current setup, the issuing subordinate CA is chained to the offline root CA, which means all certificates issued rely on that root’s trust anchor. Unfortunately, there is no supported migration path to directly “convert” a subordinate CA into a standalone AD-integrated Enterprise CA while retaining validity of previously issued certificates. Once the trust chain changes, existing certificates would no longer validate without the original root CA and its CRLs. The recommended approach is to establish a new AD-integrated Enterprise CA, publish its root certificate to Active Directory, and then gradually reissue certificates for Intune and AOVPN clients under the new hierarchy. During the transition, both PKIs can coexist until all critical certificates are replaced, after which the offline root and its CRLs are no longer required.

    I hope this clarifies the situation, and if you find this answer helpful, please hit “Accept Answer” 🙂.

    Harry.

    Was this answer helpful?

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-09T10:17:59.75+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To convert a subordinate Issuing CA to an Enterprise CA, you generally need to follow a migration process that involves several steps. However, specific details on a direct migration path from a subordinate Issuing CA to an Enterprise CA are not explicitly covered in the provided context. Here are some general steps that are typically involved in such a migration:

    1. Backup Existing CA: Ensure you have a complete backup of the existing subordinate Issuing CA, including its keys and database.
    2. Install Enterprise CA: Set up a new Enterprise CA on a domain-joined server. This CA will be responsible for issuing certificates going forward.
    3. Configure CRLs: Ensure that the new Enterprise CA is configured to publish CRLs in a way that they can be accessed by clients that previously relied on the old Offline Enterprise CA.
    4. Reissue Certificates: Depending on your requirements, you may need to reissue certificates that were issued by the old CA to ensure they are trusted by the new Enterprise CA. This step is crucial if the old certificates are tied to the old CA's CRLs.
    5. Update Trust: Ensure that all clients and services that relied on the old CA are updated to trust the new Enterprise CA. This may involve updating certificate stores and trust relationships.
    6. Decommission Old CA: Once you have verified that all systems are functioning correctly with the new CA, you can decommission the old Offline Enterprise CA.

    It's important to test the migration process in a controlled environment before implementing it in production to ensure that all certificates remain valid and trusted throughout the transition. Additionally, consult Microsoft documentation or support for specific guidance tailored to your environment.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.