+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 30
  1. Silent but Deadly
    Join Date
    Sep 2008
    Location
    So Cal
    Posts
    41

    Certifications
    CCNA | MCSE:S; MCTS: ISA2K6, Vista | VCP on VI3
    #1

    Default Taking enterprise root CA offline.

    Hi all a few questions,

    In order to create an Enterprise Root CA it must be on a domain controller right?

    If you have multiple domains (parent child) does it have to be a DC in the forest root?

    And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?

    Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.

    My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2

    Default Re: Taking enterprise root CA offline.

    Quote Originally Posted by kerbydogg
    In order to create an Enterprise Root CA it must be on a domain controller right?
    No, a member server is fine.

    Quote Originally Posted by kerbydogg
    If you have multiple domains (parent child) does it have to be a DC in the forest root?
    No.

    Quote Originally Posted by kerbydogg
    And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?
    No.

    Quote Originally Posted by kerbydogg
    Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.
    Yes.

    Quote Originally Posted by kerbydogg
    My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?
    Not well. That's why you should make the root a stand-alone CA.
    Reply With Quote Quote  

  4. Silent but Deadly
    Join Date
    Sep 2008
    Location
    So Cal
    Posts
    41

    Certifications
    CCNA | MCSE:S; MCTS: ISA2K6, Vista | VCP on VI3
    #3
    lol thanks for the response dynamik

    ok i think i get it now.

    How about if i created a root standalone, take it offline and use an enterprise subordinate ca as an issuing ca.
    Reply With Quote Quote  

  5. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #4
    Time out.

    Don't take a root Enterprise CA offline or you will have problems.

    In fact if you plan on having more than one tier of CAs your root CA should be a Standalone CA so you can do exactly that (take it offline).

    Just because your root CA is standalone, doesn't mean you issuing CAs can't be Enterprise CAs (and that is a very common deployment).
    Reply With Quote Quote  

  6. Silent but Deadly
    Join Date
    Sep 2008
    Location
    So Cal
    Posts
    41

    Certifications
    CCNA | MCSE:S; MCTS: ISA2K6, Vista | VCP on VI3
    #5
    yup I'm with you astorrs.

    check this out though MS Press 70-299 pg 7-9 states:

    The first step in deploying a PKI is to install a CA, and the first CA you install in your
    organization must be a root CA. You can create two types of root CAs: enterprise and
    standalone. In a nutshell, enterprise CAs require Active Directory. Because enterprise
    CAs rely on Active Directory to store and replicate data, all enterprise CAs must also be
    domain controllers.


    Well crap, if that's true taking it offline is not gonna look pretty.

    I kinda figured this was an error which lead to my confusion.

    Thanks guys for clearing this up.[/u]
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #6
    Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it...

    Quote Originally Posted by Windows IT Pro
    To begin installation of Certificate Services, log on to the server that will be a CA. For an enterprise CA or standalone CA, the server you select can be a member server (recommended) or a domain controller (DC—not recommended). For a standalone CA, the server can also be a workgroup server not joined to a domain. You must log on as a member of the Enterprise Admins group to install an enterprise CA and as a member of the Domain Admins group to install a standalone CA that will store certificates in AD. To install a standalone CA that won’t store its certificates in AD, you must be a member of the local Administrators group.
    I've seen things like that other places as well and was under the impression that it could be installed on a member server or a DC. All my lab work was done on a DC, so I never had to deal with this. I'm going to try to lab this up tomorrow (I've been meaning to review my PKI material anyway).
    Reply With Quote Quote  

  8. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #7
    It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

    Here is a good link from technet that will help.

    http://technet.microsoft.com/en-us/l.../cc738786.aspx
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #8
    Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.
    Reply With Quote Quote  

  10. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #9
    Quote Originally Posted by dynamik
    Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.
    I was addressing the thread in general... not necessarily your post. I read your post.

    To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine.
    Reply With Quote Quote  

  11. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #10
    Quote Originally Posted by Silver Bullet
    To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine.
    +1
    Reply With Quote Quote  

  12. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #11
    Quote Originally Posted by Silver Bullet
    It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

    Here is a good link from technet that will help.

    http://technet.microsoft.com/en-us/l.../cc738786.aspx
    I feel like I keep needing to jump up and down here because it seems like people keep missing this.

    If you want to take the CA offline to secure it, it should be a standalone CA.

    Remeber best practice in a PKI heiarchy is to take any root or intermediate CAs offline leaving just your issuing CAs to handle client requests. This ensures the security of the PKI infrastructure and limits the damage a compromise of an online CA can have.

    The why it should not be an Enterprise CA comes down to two reasons:

    1. If you are planning on taking a CA offline, best practice is to put it in a workgroup and not in a domain. That way you don't have to deal with the computer account password expiring after 30 days and reseting it, etc if you need to bring the CA online later to add additional subordinate CAs. Since an Enterprise CA requires the computer to be in a domain your only choice is to create a standalone CA.

    2. This is the big one. Lets say you have ignored this advice and created a two level CA heiarchy with Enterprise CAs at each level. You have then powered off the root Enterprise CA.

    A user sends a digitally signed email from johndoe@us.company.com to janedoe@eu.company.com. When janedoe@eu.company.com receives the email her computer will attempt to walk the certificate chain up the hierarchy to asses the validity of the digital signature. Since the issuing CA is online this will be successful, it will then move up a level to the root CA, since this CA is offline the cert chain will be broken and validation will fail.

    Had the root CA been a standalone CA the client will happily accept the fact that it cannot contact it, but it must (this is a Windows requirement) be able to contact an Enterprise CA for the certificate chain not to be broken.

    Honestly the only time you want to be using an Enterprise Root CA is when you only have 1 CA in your entire PKI infrastructure (think SMB).
    Reply With Quote Quote  

  13. wibble! bertieb's Avatar
    Join Date
    Jun 2007
    Location
    Up and down the UK
    Posts
    1,029

    Certifications
    MCSE:CP&I, SI, MCITPx2, MCSAx2, MCTSx7, VCP6/5/4/3(DCV), EMCISA, Sec+, ITILv3F, legacy MS
    #12
    Quote Originally Posted by astorrs
    If you want to take the CA offline to secure it, it should be a standalone CA.
    +1 to that.

    Nicely described post astorrs, thanks.
    Reply With Quote Quote  

  14. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #13
    Another thing to keep in mind, and I've seen conflicting info on this too... if you want full functionality (certificate templates, I forget what else if anything), you have to install Enterprise Edition not Standard Edition.
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  15. Silent but Deadly
    Join Date
    Sep 2008
    Location
    So Cal
    Posts
    41

    Certifications
    CCNA | MCSE:S; MCTS: ISA2K6, Vista | VCP on VI3
    #14
    -1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P

    So basically in a "nutshell" and in the real world:

    1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)

    2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)

    does this sound good guys?
    Reply With Quote Quote  

  16. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #15
    Quote Originally Posted by kerbydogg
    -1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P

    So basically in a "nutshell" and in the real world:

    1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)

    2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)

    does this sound good guys?
    Yes, in a large organization you may have intermediate CAs that are also offline.

    And like blargoe said there are differences between Standard and Enterprise versions of Windows Server 2003 when used as CAs:

    Windows Server 2003, Enterprise Edition or Datacenter Edition
    V2 templates: Supported on Enterprise CA only
    Key archival and recovery: Supported
    Auto-enrollment: Both user and computer certificates supported
    Delta certificate revocation lists (CRLs): Supported
    Qualified subordination: Supported
    Role separation: Supported

    Windows Server 2003, Standard Edition
    V2 templates: Not supported
    Key archival and recovery: Not supported
    Auto-enrollment: Computer certificates supported
    Delta certificate revocation lists (CRLs): Supported
    Qualified subordination: Supported
    Role separation: Not supported

    Windows 2000 Server
    V2 templates: Not supported
    Key archival and recovery: Not supported
    Auto-enrollment: Computer certificates supported
    Delta certificate revocation lists (CRLs): Not supported
    Qualified subordination: Not supported
    Role separation: Not supported

    Source: http://technet.microsoft.com/en-us/l.../cc787550.aspx
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #16
    Quote Originally Posted by astorrs
    Quote Originally Posted by Silver Bullet
    It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

    Here is a good link from technet that will help.

    http://technet.microsoft.com/en-us/l.../cc738786.aspx
    I feel like I keep needing to jump up and down here because it seems like people keep missing this.
    Ah, I missed the "root" part. I thought he was just reaffirming the Windows IT Pro article where it said installing on a member server is a best practice.
    Reply With Quote Quote  

  18. Member
    Join Date
    Aug 2008
    Location
    Birmingham, UK
    Posts
    85

    Certifications
    MCSE 2003:M, MCSA 2003:M, MCTS, MCITP:EA, HyperV, SCVMM, QMMAD QMMEX
    #17
    Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it... ???

    In response to that, i have always been taught never make a DC a root enterprise CA. As the root CA is designed to create subordinates then be taken offline. Due to tombstone lifetime after 60 days your DC is no longer authorised as a secure replication partner.
    Reply With Quote Quote  

  19. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #18
    Quote Originally Posted by Graham_84
    Does an enterprise CA really have to be on a DC?
    No it does not.

    Certificate Services in Windows Server 2003 can (and should really) be installed on a member server.
    Reply With Quote Quote  

  20. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #19
    OK, I just went and did a little review of PKI since it has been a while.

    astorrs is right, if you plan to have an offline root CA, then it needs to be a standalone root CA. I apologize if I caused any confusion for anyone.

    Here is the technet link that provides a checklist for creating an offline root CA if anyone is interested..

    http://technet.microsoft.com/en-us/l.../cc737834.aspx
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #20
    So astorrs, what you're saying is make an enterprise root CA and take it offline, right?

    teehee!
    Reply With Quote Quote  

  22. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #21
    Quote Originally Posted by HeroPsycho
    So astorrs, what you're saying is make an enterprise root CA and take it offline, right?

    teehee!
    Reply With Quote Quote  

  23. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #22
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #23
    If I'm a firebreathing Hindu, then here's my theme song:

    http://www.youtube.com/watch?v=ZA1NoOOoaNw
    Reply With Quote Quote  

  25. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #24
    Quote Originally Posted by HeroPsycho
    If I'm a firebreathing Hindu, then here's my theme song:

    http://www.youtube.com/watch?v=ZA1NoOOoaNw
    Well in that case you need one of these, afterall it's W.B.L.W.D...



    http://www.zazzle.com/benny+lava+gifts
    Reply With Quote Quote  

  26. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #25
    My offline root CA is actually a Microsoft VM that is saved off in a secure place.
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks