This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 95%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello everybody,
we have a two tier CA with an offline RootCA and two subordinate CAs (Lets call them Sub1 and Sub2). Now we would like to add an additional SubCA and then remove Sub1. What happens when I setup the new SubCA with the existing private from Sub1? Can the new SubCA confirm certificates issued by Sub1? Do the certificates issued by Sub1 remain valid when I remove Sub1? I am not sure in which cases should I choose new / existing key?
Thanks you for clarify
What happens when I setup the new SubCA with the existing private from Sub1?
this is not the right way to do things. If you want to retain the key, then you have to migrate existing CA with all the configuration and CA database to another box. Refer to this document on migration scenarios and migration steps: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11)