# PKI -- changing CA keys to 2048



## MLD (Feb 12, 2009)

[ is this the right forum? ]

We have a solid corporate PKI, with offline Root and Intermediate CAs, and online Issuing enterprise CAs in our AD forest. We need to migrate everything from the original 1024-bit CA keys to 2048 or perhaps 4096-bit keys.

I suppose one option (and it's been suggested) is to build a new mirror PKI and gradually age out the old one, but this seems extreme.

How do we re-key our Windows Root, Intermediate and Issuing CAs with larger private keys and preserve our very substantial investment in this corporate PKI? (The CAs are running 2003 server, and we expect to go to 2008 server at some point, though not necessarily this year.)

Thanks for your ideas,

Lynn


----------

