![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,635 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Mountain Pond,
Thank you for posting in Q&A forum.
I don’t see the issued certificates for the Issuing CA and now I’m worried that the network certificates will remain valid if the Root CA is turned off or something happens to it. What would you recommend doing in this case?
A1: So both the root CA and issuing CA are in the domain (Online Enterprise CA), am I right?
If so, I think there are two options in your case.
First
You can issue one issuing CA certificate using root CA.
Then issue certificate to users, computers (domain controllers) and network using this issuing CA certificate.
If these user certificate, domain controller certificates and network certificates issued by the issuing CA work fine, then you can revoke the user certificates and certificates for domain controllers and network certificate that issued by root certificate.
Second
You can keep the user certificate, domain controller certificates and network certificates issued by the root CA certificate. Then deploy another new PKI structure with new root CA and multiple new issuing CAs. Then you will have two PKI architectures (one is the root CA; the other one is one root CA with multiple issuing CAs).
As far as I understand, backup of the Root CA and the presence of one or more Issuing CAs is enough to ensure minimal fault tolerance?
A2: Yes, you are right. You can deploy one Root CA and multiple issuing CAs.
If one of the issuing CA has problem, you can use another issuing CA to issue certificates to end entity (user account, computer account or service account).
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.