Possibility of Certificate Template Migration to another active directory

Sundram Sontirkey 97 Reputation points
2024-01-03T04:58:24.5166667+00:00

Hello,

We have got a situation. where we need to create a replica of our production environment. Replica will have a separate domain and separate infrastructure.

My question is related to PKI infrastructure. We have a tier 2 PKI in the prod. There will be a new PKI similar to the prod, created in the new environment.

We require these two certificate authorities to trust each other's certificate. Some services are running on the current environment. will also be accessible to new environments. So, clients in the new environment should have access properly and vice versa.

Now my questions are.

  1. Is it possible to create such trust between two PKIs? If yes, please suggest any documents, if not what are the possible workaround?
  2. Can we export the Certificate Template from the current PKI and import it to the new PKI?

Thanks a lot for your response!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,516 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,149 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
526 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,272 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 20,791 Reputation points Microsoft Vendor
    2024-01-03T06:05:35.6333333+00:00

    Hello Sundram Sontirkey,

    Thank you for posting in Q&A forum.

    Based on my knowledge, PKI is forest-wide, Certificate Template are stored in Configuration Partition in the forest.

    Is it possible to create such trust between two PKIs? If yes, please suggest any documents, if not what are the possible workaround?

    A1: I think we cannot create trust between two PKI in different forest. However, you can create trust between two forests, then one forest without PKI will be able to use PKI in the other forest.

    For more information, please read link below.
    https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff955842(v=ws.10)

    Can we export the Certificate Template from the current PKI and import it to the new PKI?
    A2: Certificate templates are stored in Domain Controller in one domain. You can try the suggestion in A1.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments