+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member
    Join Date
    Sep 2006
    Location
    San Francisco Bay Area
    Posts
    2,047

    Certifications
    None?
    #1

    Default 70-298 CA Question

    Hey guys, just studying for my 70-298 while I build up the nerve to go back to my CCNP.

    My vtc.com training video just told me to take my enterprise root offline once I have establishing enterprise subordinate CAs. Last I checked… won’t that expire the computer account and the trust the subordinates have for the root? Or am I completely off here.

    Thanks,
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Aug 2008
    Posts
    2,666

    Certifications
    MCSE: Security, MCTS x 5, P+, S+, N+, A+, HIT
    #2
    If I remember right, you take the root CA offline to minimize any chances of it being comprised. If it was comprised, any certs issued to the subordinate CA's and clients would have to be revoked for security reasons. Many companies keep theirs offline and only bring it up to issue new certs to the subordinate CA's.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Sep 2006
    Location
    San Francisco Bay Area
    Posts
    2,047

    Certifications
    None?
    #3
    So if I turn the server off, and toss it in a safe. Won't the computer account expire in 30 days or so? bringing down the PKI?
    Reply With Quote Quote  

  5. Still a noob earweed's Avatar
    Join Date
    Mar 2010
    Location
    Mobile, Alabama
    Posts
    5,176

    Certifications
    BSIT, Proj+, A+, Net+, Sec+: MCTS: X5; MCITP:EA
    #4
    I'm not sure how you do it with Server 2003 but with server 2008 the root CA is a standalone CA. AD DS membership is not a requirement so I don't think it has an account that will expire. The subordinates are also given very long lived certificates so that the root doesn't have to be brought out very often.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Aug 2008
    Posts
    2,666

    Certifications
    MCSE: Security, MCTS x 5, P+, S+, N+, A+, HIT
    #5
    Quote Originally Posted by Daniel333 View Post
    So if I turn the server off, and toss it in a safe. Won't the computer account expire in 30 days or so? bringing down the PKI?
    I don't believe so. You can take the Root CA offline by just disconnecting the network cable, or shutting down the certificate services. You don't have to power it off.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Aug 2008
    Posts
    2,666

    Certifications
    MCSE: Security, MCTS x 5, P+, S+, N+, A+, HIT
    #6
    Quote Originally Posted by earweed View Post
    I'm not sure how you do it with Server 2003 but with server 2008 the root CA is a standalone CA. AD DS membership is not a requirement so I don't think it has an account that will expire. The subordinates are also given very long lived certificates so that the root doesn't have to be brought out very often.
    Server 2003 has Enterprise CA's integrated into AD and they use cert templates, and publish their info into AD.

    The standalone CA's store their info locally. Any requests for certs must be manually approve or deny any requests.
    Reply With Quote Quote  

  8. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #7
    Quote Originally Posted by Psoasman View Post
    Server 2003 has Enterprise CA's integrated into AD and they use cert templates, and publish their info into AD.

    The standalone CA's store their info locally. Any requests for certs must be manually approve or deny any requests.
    This is a very valid point. The use of s standalone CAs is really only in the most secure environments. If you are using a standalone you can lock the root up someplace.

    In a small environment the root CA may simply have the service disabled. Or, like at my current job where we issue web server certs regularly, we just leave it on. It's also a DC. We just don't have the resources for a full blown PKI, nor the need. Our entire AD could be wiped out and we could have things back up and running within 24 hours with minimal user inconvenience (yes, I said it). So security is not that great of a priority to us.

    In small/medium shops that use intermediate CAs what I tend to see is the CA infrastructure being on a secured VLAN. The root CA is still online, but the service disabled.

    I cannot give any practical insight into large scale, enterprise environments.
    Reply With Quote Quote  

  9. Senior Member powerfool's Avatar
    Join Date
    Jul 2010
    Location
    Indy Metro Area
    Posts
    1,602

    Certifications
    CISSP, MCSE x10... and many more
    #8
    If you are going through the trouble of implementing a PKI environment, you are either full of free time or you have a significant reason to do so. That being said, the best practice is you use a standalone CA root with enterprise subordinate CAs and take the root offline.

    The tricky part with PKI is lifetime of certs. A CA cannot issue certificates with lifespans longer than its own certificate. So, if you want to issue certificates that last a year, you always need at least one year of life in your subordinate's cert. So, perhaps two years for it, and then renew it annually. The root would likely need to be 5+ years.
    70-346 [ ] 70-347 [ ] 70-533 [ ] 70-743 [ ]
    2017 Goals: MCSA Office 365 and MCSE Cloud Platform and MCSA 2016
    2016 Attained: MCSA Windows Server 2012, MCSE Messaging, MCSE Communications, and MCSE Productivity
    Reply With Quote Quote  

  10. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #9
    Quote Originally Posted by powerfool View Post
    ... That being said, the best practice is you use a standalone CA root with enterprise subordinate CAs and take the root offline.
    +Rep for pointing that out. Much easier to do this now with VMs.
    Reply With Quote Quote  

  11. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #10
    I recently watched the nuggets for the 293 and this is what I learned.

    Your root CA should be a standalone. Once you issue certificates to your intermediate CA's you should bring the root down (Either by stopping the service, shutting the server down/unplugging it, or pulling the HDD).

    Your intermediate CA's should also be standalone, and again, once they issue certificates to your Issuing CA's should be taken offline.

    Your issuing CA's should be Enterprise CA's and you will probably want to set up auto-enrollment on them. These will have to stay online.

    Keep in mind that the above is just what James Conrad suggested. If you wanted to, you could make your root CA an enterprise CA and leave it online 24/7 and take the security risk. Or maybe you feel that a 2 tiered approach is more appropriate since you don't issue a lot of CA's. There is no right way to do things.
    Last edited by Devilsbane; 10-25-2010 at 07:21 PM.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks