Re: PKI Question

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/07/05 

Date: Fri, 7 Oct 2005 12:11:13 -0500

To complicate your issue is that you simply can not take your Enterprise
root CA offline assuming your definition of enterprise means that it is a
member of an Active Directory domain. The offline CA would need to be a
"stand alone" CA. I would consider securing your current CA by not allowing
the server to be used for anything else, restricting who can logon to it,
and physically securing it to some degree. The link below explains how to
move it to another server if that would help. --- Steve

http://support.microsoft.com/?id=298138

"Russ Allen" <RussAllen@discussions.microsoft.com> wrote in message
news:91F25D01-F084-4288-9CD9-23E84D90DCB7@microsoft.com...
>I am in charge of a PKI Enterprise Root CA that issues out certs for a ift
> certificate site automatically and I was presented with taking off the
> Root
> CA and putting in two subordinate CAs. We run the Root CA on a VM and it
> is
> not going to be very secure (andyone can log on to the server powerup the
> VM
> and log on and do their thing) I think we are making this over cmplicated,
> we
> only service that one site and it has been running smooth for several
> years.
> It was stated the 2 tiers was the best practice but I don't feel we need
> to
> do that just one Sub CA if any a bit of wisdom is requeted from this fine
> community. thanks in advance.
>
> Russ Allen

Relevant Pages

  • Re: Enterprise Root CA Install
    ... It can be any web server location that is publicly accessible. ... offline root should be off the network and the CRL should be periodically ... copied from the offline root to a an online location specified in the CDP ... > an "Enterprise subordinate CA" installation. ...
    (microsoft.public.win2000.security)
  • Moving Enterprise Root CA
    ... I have an enterprise root CA on a Windows Server 2003 Standard Edition server. ... I have got the budget to put Windows Server 2003 Enterprise Edition in, but it will have to be on another server - and the previous server cannot be taken out of service or renamed. ... Create a new Subordinate Enterprise CA on the new Enterprise Edition server, subordinated from the new Root CA ...
    (microsoft.public.windows.server.security)
  • Re: AD design question
    ... The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised. ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing a Enterprise Root CA in a mixed mode environment
    ... Enterprise Root CA. ... Enterprise Admins group for the forest and local admin on the server you are ... Install a Windows 2003 PKI on a W2000 AD ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing a Enterprise Root CA in a mixed mode environment
    ... Enterprise Root CA. ... Enterprise Admins group for the forest and local admin on the server you are ... Install a Windows 2003 PKI on a W2000 AD ...
    (microsoft.public.windows.server.active_directory)