Enterprise Root CA question

Hey people,

Lets say I have an AD domain, and on a member server I install an Enterprise Root CA. Once I issue certificates to my subordinate CAs, I can take the Enterprise Root CA off line, right?

Can you please clarify in what scenario it would be necessary to keep a Root CA online?

Thanks

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    You'd only put it back online to create new subordinate servers. Really though, the majority of the time I've been at clients I've always seen internal PKI as Enterprise Root CA. All my clients are SMBs though.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • _maurice_maurice Member Posts: 142
    So if I were to take an Enterprise Root CA off line, would the certificates still be valid? Also, to be clear, this theoretical Enterprise Root CA is a member server; not a domain controller.

    Thanks
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Yes everything will still work. This is because the subordinates CAs will contain the Root Cert which completes the chain. You'll need to make sure you distribute the certificate through GPOs so clients/servers will trust the certificate chain. If you're doing an Enterprise Root CA and issue certificates through that server, AD will automatically distribute the Root Certificate to all domain members. If you do a standalone root, you'll need to distribute that certificate through GPOs, distribute an intermediate certificate to your subordinate CA, and then bring your root CA offline. If you want your Subordinate to be your issuing server, you should make it an enterprise subordinate CA.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • _maurice_maurice Member Posts: 142
    Alright, that makes sense. Thanks royal.

    So taking a member server Enterprise Root CA off line after setting up working subordinate Enterprise Root CAs will not invalidate the certificates, and will not cause a problem with active directory.

    Would it be true to say that the only reason you would not take a domain controller Enterprise Root CA off line is because of the problems associated with removing a DC from the network improperly?

    ... And removing a member server from the network improperly poses no problem to active directory?

    Thanks
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    You wouldn't do an Enterprise Root CA. The Standalone Root CA was created for this purpose. So you can use a CA chain (Root > Subordinate). A Standalone Root CA doesn't even have certificate templates. It's sole purpose is to create the Root Certificate, deploy intermediate certificates to your subordinates, and then bring offline.

    You wouldn't keep a Standalone Root CA online. I can't think of any reason. The only reason you would bring it back up is to issue certificates to new Subordinate CAs.

    If you use an Enterprise Root CA, you wouldn't take it offline. It would be your issuing server and you would use this setup with the Enterprise Root CA being your only CA. You can of course still have a Subordinate CA, but it makes no sense to have an Issuing Root and an Issuing Subordinate.

    Anyways, if you have more questions, I'll answer tomorrow night. Going to bed.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    royal is right. If you're going to have multiple tiers of CAs you want to create them as follows:

    1 tier (aka 1 CA in the domain)
    - A single Enterprise CA as both root and issuing

    2 tiers
    - A single Stand-alone CA as root (offline)
    - One or more Issuing (subordinate) CAs configured as Enterprise CA

    3 tiers (only necessary in very large environments, where for example it may be necessary for regional admins to bring the intermediate online to publish a new CRL - that way it doesn't require bringing up the root of the entire PKI infrastructure)
    - A single Stand-alone CA as root (offline)
    - One or more Intermediate CAs configured as a Stand-alone CA (offline)
    - One or more Issuing (subordinate) CAs configured as a Enterprise CA

    Best practice says you should always take a root CA offline once you have established issuing (subordinate) CAs. The root CA contains sensitive information about the entire PKI infrastructure, and if it is compromised the entire PKI infrastructure is at risk. In fact Microsoft recommends taking the server (or at least the hard disks or virtual machine image) and locking it away in a vault - I tend to agree.

    And just a reminder - a domain controller should never be a CA (I know you said you were using a member server, just wanted to remind any other readers - I come across this way too often).

    Here are some BPs from Microsoft for 2003 PKI: http://technet2.microsoft.com/windowsserver/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true
Sign In or Register to comment.