Existing working two-factor-authentication for XenMobile using cert based auth as the second factor are XenMobile-certificates that are issued by a Windows Enterprise Root CA. This Root CA will be decommissioned and replaced by a new Windows Enterprise Issuing CA that is signed by a new Root CA. 

Need to know:
1.- How to migrate the certificate based (MDM-)authentication from the current Root CA to a new PKI-Infrastructure (With a new Root CA and Issuing CA)?
2.- How to minimize downtime for end user-devices during the migration?

---

Instructions

• Since the existing devices are using cert generated from the old CA it is advisable not to decommission it immediately until unless all of the users have been moved to the new one.
• You can shut down the server and keep it for DR scenario.
• Please ensure that OSCP and CRl is not enabled for the same.

While replacing the PKI servers:        
1. Follow same process as followed while creating the OLD PKI server.    
2. Create template properly    
3. Upload new user certificate (DO NOT DELETE OLD USER CERT)    
4. On XMS console add new PKI entity (DO NOT DELETE THE OLD ONE)    
5. On the existing Credential provider Select new PKI Entity.    
6. On NS Upload new root and intermediate cert (DO NOT DELETE EXISTING CERTS)