Taking enterprise root CA offline.
kerbydogg
Member Posts: 41 ■■□□□□□□□□
Hi all a few questions,
In order to create an Enterprise Root CA it must be on a domain controller right?
If you have multiple domains (parent child) does it have to be a DC in the forest root?
And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?
Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.
My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?
In order to create an Enterprise Root CA it must be on a domain controller right?
If you have multiple domains (parent child) does it have to be a DC in the forest root?
And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?
Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.
My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?
WIP: can't decide.
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□kerbydogg wrote:In order to create an Enterprise Root CA it must be on a domain controller right?
No, a member server is fine.kerbydogg wrote:If you have multiple domains (parent child) does it have to be a DC in the forest root?
No.kerbydogg wrote:And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?
No.kerbydogg wrote:Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.
Yes.kerbydogg wrote:My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?
Not well. That's why you should make the root a stand-alone CA. -
kerbydogg Member Posts: 41 ■■□□□□□□□□lol thanks for the response dynamik
ok i think i get it now.
How about if i created a root standalone, take it offline and use an enterprise subordinate ca as an issuing ca.WIP: can't decide. -
astorrs Member Posts: 3,139 ■■■■■■□□□□Time out.
Don't take a root Enterprise CA offline or you will have problems.
In fact if you plan on having more than one tier of CAs your root CA should be a Standalone CA so you can do exactly that (take it offline).
Just because your root CA is standalone, doesn't mean you issuing CAs can't be Enterprise CAs (and that is a very common deployment). -
kerbydogg Member Posts: 41 ■■□□□□□□□□yup I'm with you astorrs.
check this out though MS Press 70-299 pg 7-9 states:
The first step in deploying a PKI is to install a CA, and the first CA you install in your
organization must be a root CA. You can create two types of root CAs: enterprise and
standalone. In a nutshell, enterprise CAs require Active Directory. Because enterprise
CAs rely on Active Directory to store and replicate data, all enterprise CAs must also be
domain controllers.
Well crap, if that's true taking it offline is not gonna look pretty.
I kinda figured this was an error which lead to my confusion.
Thanks guys for clearing this up.[/u]WIP: can't decide. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it...Windows IT Pro wrote:To begin installation of Certificate Services, log on to the server that will be a CA. For an enterprise CA or standalone CA, the server you select can be a member server (recommended) or a domain controller (DC—not recommended). For a standalone CA, the server can also be a workgroup server not joined to a domain. You must log on as a member of the Enterprise Admins group to install an enterprise CA and as a member of the Domain Admins group to install a standalone CA that will store certificates in AD. To install a standalone CA that won’t store its certificates in AD, you must be a member of the local Administrators group.
I've seen things like that other places as well and was under the impression that it could be installed on a member server or a DC. All my lab work was done on a DC, so I never had to deal with this. I'm going to try to lab this up tomorrow (I've been meaning to review my PKI material anyway). -
Silver Bullet Member Posts: 676 ■■■□□□□□□□It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.
Here is a good link from technet that will help.
http://technet.microsoft.com/en-us/library/cc738786.aspx -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.
-
Silver Bullet Member Posts: 676 ■■■□□□□□□□dynamik wrote:Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.
I was addressing the thread in general... not necessarily your post. I read your post.
To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine. -
royal Member Posts: 3,352 ■■■■□□□□□□Silver Bullet wrote:To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine.
+1“For success, attitude is equally as important as ability.” - Harry F. Banks -
astorrs Member Posts: 3,139 ■■■■■■□□□□Silver Bullet wrote:It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.
Here is a good link from technet that will help.
http://technet.microsoft.com/en-us/library/cc738786.aspx
If you want to take the CA offline to secure it, it should be a standalone CA.
Remeber best practice in a PKI heiarchy is to take any root or intermediate CAs offline leaving just your issuing CAs to handle client requests. This ensures the security of the PKI infrastructure and limits the damage a compromise of an online CA can have.
The why it should not be an Enterprise CA comes down to two reasons:
1. If you are planning on taking a CA offline, best practice is to put it in a workgroup and not in a domain. That way you don't have to deal with the computer account password expiring after 30 days and reseting it, etc if you need to bring the CA online later to add additional subordinate CAs. Since an Enterprise CA requires the computer to be in a domain your only choice is to create a standalone CA.
2. This is the big one. Lets say you have ignored this advice and created a two level CA heiarchy with Enterprise CAs at each level. You have then powered off the root Enterprise CA.
A user sends a digitally signed email from johndoe@us.company.com to janedoe@eu.company.com. When janedoe@eu.company.com receives the email her computer will attempt to walk the certificate chain up the hierarchy to asses the validity of the digital signature. Since the issuing CA is online this will be successful, it will then move up a level to the root CA, since this CA is offline the cert chain will be broken and validation will fail.
Had the root CA been a standalone CA the client will happily accept the fact that it cannot contact it, but it must (this is a Windows requirement) be able to contact an Enterprise CA for the certificate chain not to be broken.
Honestly the only time you want to be using an Enterprise Root CA is when you only have 1 CA in your entire PKI infrastructure (think SMB). -
blargoe Member Posts: 4,174 ■■■■■■■■■□Another thing to keep in mind, and I've seen conflicting info on this too... if you want full functionality (certificate templates, I forget what else if anything), you have to install Enterprise Edition not Standard Edition.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
kerbydogg Member Posts: 41 ■■□□□□□□□□-1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P
So basically in a "nutshell" and in the real world:
1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)
2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)
does this sound good guys?WIP: can't decide. -
astorrs Member Posts: 3,139 ■■■■■■□□□□kerbydogg wrote:-1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P
So basically in a "nutshell" and in the real world:
1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)
2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)
does this sound good guys?
And like blargoe said there are differences between Standard and Enterprise versions of Windows Server 2003 when used as CAs:
Windows Server 2003, Enterprise Edition or Datacenter Edition
V2 templates: Supported on Enterprise CA only
Key archival and recovery: Supported
Auto-enrollment: Both user and computer certificates supported
Delta certificate revocation lists (CRLs): Supported
Qualified subordination: Supported
Role separation: Supported
Windows Server 2003, Standard Edition
V2 templates: Not supported
Key archival and recovery: Not supported
Auto-enrollment: Computer certificates supported
Delta certificate revocation lists (CRLs): Supported
Qualified subordination: Supported
Role separation: Not supported
Windows 2000 Server
V2 templates: Not supported
Key archival and recovery: Not supported
Auto-enrollment: Computer certificates supported
Delta certificate revocation lists (CRLs): Not supported
Qualified subordination: Not supported
Role separation: Not supported
Source: http://technet.microsoft.com/en-us/library/cc787550.aspx -
dynamik Banned Posts: 12,312 ■■■■■■■■■□astorrs wrote:Silver Bullet wrote:It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.
Here is a good link from technet that will help.
http://technet.microsoft.com/en-us/library/cc738786.aspx
Ah, I missed the "root" part. I thought he was just reaffirming the Windows IT Pro article where it said installing on a member server is a best practice. -
Graham_84 Member Posts: 85 ■■□□□□□□□□Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it... ???
In response to that, i have always been taught never make a DC a root enterprise CA. As the root CA is designed to create subordinates then be taken offline. Due to tombstone lifetime after 60 days your DC is no longer authorised as a secure replication partner.Currently having a break after the MCITP:EA. Citrix or Cisco next, not sure! -
Silver Bullet Member Posts: 676 ■■■□□□□□□□OK, I just went and did a little review of PKI since it has been a while.
astorrs is right, if you plan to have an offline root CA, then it needs to be a standalone root CA. I apologize if I caused any confusion for anyone.
Here is the technet link that provides a checklist for creating an offline root CA if anyone is interested..
http://technet.microsoft.com/en-us/library/cc737834.aspx -
HeroPsycho Inactive Imported Users Posts: 1,940So astorrs, what you're saying is make an enterprise root CA and take it offline, right?
teehee!Good luck to all! -
astorrs Member Posts: 3,139 ■■■■■■□□□□HeroPsycho wrote:So astorrs, what you're saying is make an enterprise root CA and take it offline, right?
teehee! -
royal Member Posts: 3,352 ■■■■□□□□□□“For success, attitude is equally as important as ability.” - Harry F. Banks
-
astorrs Member Posts: 3,139 ■■■■■■□□□□HeroPsycho wrote:
http://www.zazzle.com/benny+lava+gifts -
blargoe Member Posts: 4,174 ■■■■■■■■■□My offline root CA is actually a Microsoft VM that is saved off in a secure place.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
royal Member Posts: 3,352 ■■■■□□□□□□astorrs wrote:blargoe wrote:My offline root CA is actually a Microsoft VM that is saved off in a secure place.
And include your Recovery Agent certificate that is installed on your 1st DC. Funny how most people don't know about this due to DCPromo not telling you anything about this certificate.“For success, attitude is equally as important as ability.” - Harry F. Banks -
HeroPsycho Inactive Imported Users Posts: 1,940That's what I've done, too. Except I use a *real* virtualization product...
*cough* VMware *cough* :PGood luck to all! -
kerbydogg Member Posts: 41 ■■□□□□□□□□I think I have A.D.D. or something.
During these MS tests I space out half way thru and start daydreaming. Then I have to rush to finish it... LOL
Anyway passed 298/299
Thanks for the PKI infos all.WIP: can't decide.