Re: EFS and Certificate Services

From: Rschraeger (Rschraeger_at_discussions.microsoft.com)
Date: 08/25/05

• Next message: Johan: "RE: Remove MS AntiSpyware or Add Exception"
• Previous message: Rschraeger: "RE: Remove MS AntiSpyware or Add Exception"
• In reply to:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Next in thread: Paul Adare: "Re: EFS and Certificate Services"
• Reply:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Aug 2005 06:26:03 -0700

I thought the root CA was suppose to be take offline for security reasons.
Is it then better to deploy a standalone root CA with a enterprise sub. CA?
Is that even possible?

-- 
RS
MCSE, MCP +I MCP
"Paul Adare" wrote:
> In article <E0088E0E-D95F-49B9-98FC-7D514C2586C6@microsoft.com>, in the 
> microsoft.public.win2000.security news group, =?Utf-8?B?
> UnNjaHJhZWdlcg==?= <Rschraeger@discussions.microsoft.com> says...
> 
> > Why not take the root offline?   Isn't it best practice to take the root 
> > offline after it has given it's cert to the sub. CA?
> > 
> 
> A standalone root should be taken offline yes, not an Enterprise Root. 
> By definition, an Enterprise Root needs access to Active Directory and 
> therefore needs to remain online.
> 
> -- 
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern 
> computer geeks finds it impossible to detect a joke that is not clearly 
> labeled as such."
> Ray Shea
> 

• Next message: Johan: "RE: Remove MS AntiSpyware or Add Exception"
• Previous message: Rschraeger: "RE: Remove MS AntiSpyware or Add Exception"
• In reply to:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Next in thread: Paul Adare: "Re: EFS and Certificate Services"
• Reply:(deleted message) Paul Adare: "Re: EFS and Certificate Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: PKI Question ... Because an Enterprise CA is integrated with Active Directory which requires ... stand-alone root CA. ... An enterprise root requires access to the Active ... You should not install an enterprise root on an offline domain ... (microsoft.public.security) Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ... (microsoft.public.windows.server.security) Re: can a microsoft enteprise Root CA be offline? ... > I have notice that if the CA server is offline, ... > cannot be authenticated by the IAS server. ... > Isn=3Ft it suppose that the the certificates are valid by them selfs? ... the root CA must be installed as a Standalone ... (microsoft.public.win2000.security) RE: Offline Root CA issue ... I had to change the validity of the CRL ... subordinate online CA server in an Windows 2003 Server environment (virtual ... I have exported the CRL from the offline root into the online ... (microsoft.public.dotnet.security) Re: Enterprise Root CA Install ... Thank you for your input regarding the offline CA. ... I tested the concept of creating a "standalone ... root CA" based on a Technet article entitled "Deploying ... an "Enterprise subordinate CA" installation. ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint