Re: EFS and Certificate Services

From: Rschraeger (Rschraeger_at_discussions.microsoft.com)
Date: 08/25/05

• Next message: Johan: "RE: Remove MS AntiSpyware or Add Exception"
• Previous message: Rschraeger: "RE: Remove MS AntiSpyware or Add Exception"
• In reply to:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Next in thread: Paul Adare: "Re: EFS and Certificate Services"
• Reply:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 25 Aug 2005 06:26:03 -0700

I thought the root CA was suppose to be take offline for security reasons.
Is it then better to deploy a standalone root CA with a enterprise sub. CA?
Is that even possible?

-- 
RS
MCSE, MCP +I MCP
"Paul Adare" wrote:
> In article <E0088E0E-D95F-49B9-98FC-7D514C2586C6@microsoft.com>, in the 
> microsoft.public.win2000.security news group, =?Utf-8?B?
> UnNjaHJhZWdlcg==?= <Rschraeger@discussions.microsoft.com> says...
> 
> > Why not take the root offline?   Isn't it best practice to take the root 
> > offline after it has given it's cert to the sub. CA?
> > 
> 
> A standalone root should be taken offline yes, not an Enterprise Root. 
> By definition, an Enterprise Root needs access to Active Directory and 
> therefore needs to remain online.
> 
> -- 
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern 
> computer geeks finds it impossible to detect a joke that is not clearly 
> labeled as such."
> Ray Shea
> 

---

• Next message: Johan: "RE: Remove MS AntiSpyware or Add Exception"
• Previous message: Rschraeger: "RE: Remove MS AntiSpyware or Add Exception"
• In reply to:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Next in thread: Paul Adare: "Re: EFS and Certificate Services"
• Reply:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Standalone root CA - do I need to use the capolicy.inf file? ... Enterprise or standalone) and I noticed no difference. ... If I were to use an Enterprise Root CA, would it still be advisable to use ... install a subordinate Enterprise CA, according to what I think are MS best ... standalone root CA, or can I do without it? ... (microsoft.public.security) Re: PKI Question ... Because an Enterprise CA is integrated with Active Directory which requires ... stand-alone root CA. ... An enterprise root requires access to the Active ... You should not install an enterprise root on an offline domain ... (microsoft.public.security) Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ... (microsoft.public.windows.server.security) Re: can a microsoft enteprise Root CA be offline? ... > I have notice that if the CA server is offline, ... > cannot be authenticated by the IAS server. ... > Isn=3Ft it suppose that the the certificates are valid by them selfs? ... the root CA must be installed as a Standalone ... (microsoft.public.win2000.security) RE: Offline Root CA issue ... I had to change the validity of the CRL ... subordinate online CA server in an Windows 2003 Server environment (virtual ... I have exported the CRL from the offline root into the online ... (microsoft.public.dotnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)