We rolled out a root enterprise CA via Server 2016.
The root CA is in play and being used for 802.1x authentication at the moment.
I would like to add 1 or 2 subordinate CA's and take the root CA offline.
Can this be done without affecting production?
If so, how?