Re: Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

On Tue, 18 Mar 2008 22:45:03 -0700 (PDT), Chris Morley wrote:

Hi, my existing setup is/was simple. Had a single site active
directory for 30 users and an exchange server.

All computer workstation identification certs were pushed out via
autoenrollment and as such they trust the root CA which was the one to
issue the certificates.

This is not why they trust the root. They trust the root because the root
CA is an Enterprise root which means its CA certificate gets published to
Active Directory and gets installed in the Trusted Root store on client
computers in the forest through Group Policy.

As i will now have a number of sites i think it would be prudent to
have subordinate CAs at each remote location to issue certificates
there.

My question is, how would this affect the current computers having the
existing CA where it is directly issued from the enterprise root,
compared to other computers who were issued via the subordinate CA
when i get them running?

It would not affect the existing certificates at all.

Im guessing not much, since all computers
will trust the root anyway through thet certificate tree? Only down
side is if the root got comprimised in this scenario since they would
still trust it.

Which is why it is generally a bad idea to use an Enterprise root which
must, by definition, be on the network. For 30 users and internal only
certificates you're likely ok with an online Enterprise root.


To aid my understanding, do enterprise root CA issue certificates to
workstations by default? Im guessing not, since i had to create a
workstation identification template.

What certificates get issued depends on what certificate templates are
published at an Enterprise CA, whether it is a root or subordinate.


How could i ensure in future that the root CA only issues certificates
for other subordinate CA's and NOT workstations? Would this be through
the certificate management mmc console? Is this controlled by active
directory GPO or some other setting?

Use the Certification Authority console to remove all of the certificate
templates that are published at the root except for the SubCA template.


What is the purpose of having a root enterprise CA and subordinate
enterprise CA? I cant see much benefit and indeedd maybe this is less
secure as the root is online... this is fine for small networks but i
have found may no longer be ideal for me.

For a small network having an online Enterprise root CA simply makes it
easier as you don't have to manually publish either the root CA certificate
or root CA CRL to the directory, it happens automatically.


Can active directory automatically publish the revocation list to http
for it to check?

Active Directory has nothing to do with this, the CA however can
automatically publish to an HTTP location.

Do i need to have IIS running on the server? I see
the url for revocation checking but when i type it in in my browser i
get a blank page again i presume because IIS is not running.

The CA does not require IIS unless you want to use the web enrollment pages
or if you are using it to host CRLs.


Finally, given the site links are expanding, Is it possible to move my
existing enterprise root CA to a standalone root CA, and then create
multiple subordinate CAs to issue certs on the clients behalf? This
would be the ideal setup as a managed upgrading process. Can i move
the root enterprise CA to an offline root CA?

No, you can't move a root from one type to another, you'd need to install a
new root as an offline standalone root and then manually publish its
certificate and CRL.


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Semi-conductor: A person hired to lead an orchestra before he has
graduated
from director's school.
.

Relevant Pages

  • Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... we will need to have trust ... As far as standard versus enterprise, ... If the root CA is compromised your whole PKI ... > your certificates then it would make sense to use your own CA. ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise root CA not re-trusted after manually deleted
    ... published) autoenrollment queries AD for CA certs and installs them. ... CA certs in AD). ... deleted root certs can automatically return or need a manual repair. ... If root CA certificates are distributed using autonenrollment (meaning ...
    (microsoft.public.windows.server.security)
  • Re: Certificate issue on Exchange ActiveSync setup (WM6) - UPDATE
    ... In the Certificates snap-in box it is very important you choose "Computer ... Finish out of the standalone boxes and view the Console Root window. ... should now see a Console Root folder, with a Certificates folder under it, ...
    (microsoft.public.pocketpc.activesync)
  • Re: cert authority
    ... Open the certificates console for your user and check Trusted Root ... Now that I moved it into my 2k AD, it doesn't seem to trust the cert. ...
    (microsoft.public.win2000.active_directory)
  • Re: Public Key on Enterprise CA
    ... 2000 or Windows Server 2003 Enterprise CA. ... I see that Verisign will sell ... > digital certificates for about $15 per user. ... > savings by managing your own subordinate CA with Verisign as the root CA ...
    (microsoft.public.win2000.security)