+ Reply to Thread
Results 1 to 7 of 7
  1. Senior Member
    Join Date
    Apr 2008
    Location
    Seattle, WA
    Posts
    142

    Certifications
    MCSE 2003: Security, CCNA, CCNP
    #1

    Default Enterprise Root CA question

    Hey people,

    Lets say I have an AD domain, and on a member server I install an Enterprise Root CA. Once I issue certificates to my subordinate CAs, I can take the Enterprise Root CA off line, right?

    Can you please clarify in what scenario it would be necessary to keep a Root CA online?

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #2
    You'd only put it back online to create new subordinate servers. Really though, the majority of the time I've been at clients I've always seen internal PKI as Enterprise Root CA. All my clients are SMBs though.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2008
    Location
    Seattle, WA
    Posts
    142

    Certifications
    MCSE 2003: Security, CCNA, CCNP
    #3
    So if I were to take an Enterprise Root CA off line, would the certificates still be valid? Also, to be clear, this theoretical Enterprise Root CA is a member server; not a domain controller.

    Thanks
    Reply With Quote Quote  

  5. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #4
    Yes everything will still work. This is because the subordinates CAs will contain the Root Cert which completes the chain. You'll need to make sure you distribute the certificate through GPOs so clients/servers will trust the certificate chain. If you're doing an Enterprise Root CA and issue certificates through that server, AD will automatically distribute the Root Certificate to all domain members. If you do a standalone root, you'll need to distribute that certificate through GPOs, distribute an intermediate certificate to your subordinate CA, and then bring your root CA offline. If you want your Subordinate to be your issuing server, you should make it an enterprise subordinate CA.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Apr 2008
    Location
    Seattle, WA
    Posts
    142

    Certifications
    MCSE 2003: Security, CCNA, CCNP
    #5
    Alright, that makes sense. Thanks royal.

    So taking a member server Enterprise Root CA off line after setting up working subordinate Enterprise Root CAs will not invalidate the certificates, and will not cause a problem with active directory.

    Would it be true to say that the only reason you would not take a domain controller Enterprise Root CA off line is because of the problems associated with removing a DC from the network improperly?

    ... And removing a member server from the network improperly poses no problem to active directory?

    Thanks
    Reply With Quote Quote  

  7. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #6
    You wouldn't do an Enterprise Root CA. The Standalone Root CA was created for this purpose. So you can use a CA chain (Root > Subordinate). A Standalone Root CA doesn't even have certificate templates. It's sole purpose is to create the Root Certificate, deploy intermediate certificates to your subordinates, and then bring offline.

    You wouldn't keep a Standalone Root CA online. I can't think of any reason. The only reason you would bring it back up is to issue certificates to new Subordinate CAs.

    If you use an Enterprise Root CA, you wouldn't take it offline. It would be your issuing server and you would use this setup with the Enterprise Root CA being your only CA. You can of course still have a Subordinate CA, but it makes no sense to have an Issuing Root and an Issuing Subordinate.

    Anyways, if you have more questions, I'll answer tomorrow night. Going to bed.
    Reply With Quote Quote  

  8. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #7
    royal is right. If you're going to have multiple tiers of CAs you want to create them as follows:

    1 tier (aka 1 CA in the domain)
    - A single Enterprise CA as both root and issuing

    2 tiers
    - A single Stand-alone CA as root (offline)
    - One or more Issuing (subordinate) CAs configured as Enterprise CA

    3 tiers (only necessary in very large environments, where for example it may be necessary for regional admins to bring the intermediate online to publish a new CRL - that way it doesn't require bringing up the root of the entire PKI infrastructure)
    - A single Stand-alone CA as root (offline)
    - One or more Intermediate CAs configured as a Stand-alone CA (offline)
    - One or more Issuing (subordinate) CAs configured as a Enterprise CA

    Best practice says you should always take a root CA offline once you have established issuing (subordinate) CAs. The root CA contains sensitive information about the entire PKI infrastructure, and if it is compromised the entire PKI infrastructure is at risk. In fact Microsoft recommends taking the server (or at least the hard disks or virtual machine image) and locking it away in a vault - I tend to agree.

    And just a reminder - a domain controller should never be a CA (I know you said you were using a member server, just wanted to remind any other readers - I come across this way too often).

    Here are some BPs from Microsoft for 2003 PKI: http://technet2.microsoft.com/window....mspx?mfr=true
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks