Re: PKI Question

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/10/05 

Date: Sun, 9 Oct 2005 20:24:04 -0500

Because an Enterprise CA is integrated with Active Directory which requires
access to Active Directory. It would not be a configuration supported by
Microsoft. The link below explains more. --- Steve

http://support.microsoft.com/?kbid=271386

To configure the offline root CA, install Certificate Services as a
stand-alone root CA. An enterprise root requires access to the Active
Directory, which is unavailable if the server is disconnected from the
network. You should not install an enterprise root on an offline domain
controller.

"Russ Allen" <RussAllen@discussions.microsoft.com> wrote in message
news:1B7A581A-1618-497D-846B-D1A6D149911C@microsoft.com...
> Thanks for the information but could you please give some more detail as
> to
> why that CA can't be taken offline, thanks again
>
> "Steven L Umbach" wrote:
>
>> To complicate your issue is that you simply can not take your Enterprise
>> root CA offline assuming your definition of enterprise means that it is a
>> member of an Active Directory domain. The offline CA would need to be a
>> "stand alone" CA. I would consider securing your current CA by not
>> allowing
>> the server to be used for anything else, restricting who can logon to it,
>> and physically securing it to some degree. The link below explains how to
>> move it to another server if that would help. --- Steve
>>
>> http://support.microsoft.com/?id=298138
>>
>> "Russ Allen" <RussAllen@discussions.microsoft.com> wrote in message
>> news:91F25D01-F084-4288-9CD9-23E84D90DCB7@microsoft.com...
>> >I am in charge of a PKI Enterprise Root CA that issues out certs for a
>> >ift
>> > certificate site automatically and I was presented with taking off the
>> > Root
>> > CA and putting in two subordinate CAs. We run the Root CA on a VM and
>> > it
>> > is
>> > not going to be very secure (andyone can log on to the server powerup
>> > the
>> > VM
>> > and log on and do their thing) I think we are making this over
>> > cmplicated,
>> > we
>> > only service that one site and it has been running smooth for several
>> > years.
>> > It was stated the 2 tiers was the best practice but I don't feel we
>> > need
>> > to
>> > do that just one Sub CA if any a bit of wisdom is requeted from this
>> > fine
>> > community. thanks in advance.
>> >
>> > Russ Allen
>>
>>
>>

Relevant Pages

  • Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
    ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise Root CA Install
    ... Thank you for your input regarding the offline CA. ... I tested the concept of creating a "standalone ... root CA" based on a Technet article entitled "Deploying ... an "Enterprise subordinate CA" installation. ...
    (microsoft.public.win2000.security)
  • Re: EFS and Certificate Services
    ... I thought the root CA was suppose to be take offline for security reasons. ... Is it then better to deploy a standalone root CA with a enterprise sub. ...
    (microsoft.public.win2000.security)
  • Re: PKI Question
    ... > access to Active Directory. ... > stand-alone root CA. ... You should not install an enterprise root on an offline domain ...
    (microsoft.public.security)
  • Re: AD design question
    ... The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised. ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ...
    (microsoft.public.windows.server.active_directory)