Our organizational CA is going to expire soon and I want to move it to a new server along with renewing it. I am going to follow option 2 from TID 3618399 but have a couple things I would like to verify first. I am trying to understand how services are going to be affected during this process, specially ldap.

1. This option will also renew the organizational CA, not just recreate at the current expiration date ?

2. The document indicates that once you delete the old CA object, the existing certs will still function until they expire. However, once I create the new CA and run pkidiag on my servers, then will things break for services such as ldap that are using the certs ? The servers should be rebooted after running pkidiag ?

3. I had read some other documents that you should delete the cert objects in the tree, does this need to be done ? This document does not indicate this.

4. My main concern is ldap services so I am trying develop a plan to complete this without an interruption of services. Or do I need to schedule a time to do this off hours ?