Taking enterprise root CA offline.

kerbydogg wrote:

In order to create an Enterprise Root CA it must be on a domain controller right?

No, a member server is fine.

kerbydogg wrote:

If you have multiple domains (parent child) does it have to be a DC in the forest root?

No.

kerbydogg wrote:

And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?

No.

kerbydogg wrote:

Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.

Yes.

kerbydogg wrote:

My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?

Not well. That's why you should make the root a stand-alone CA.

lol thanks for the response dynamik

ok i think i get it now.

How about if i created a root standalone, take it offline and use an enterprise subordinate ca as an issuing ca.

Time out.

Don't take a root Enterprise CA offline or you will have problems.

In fact if you plan on having more than one tier of CAs your root CA should be a Standalone CA so you can do exactly that (take it offline).

Just because your root CA is standalone, doesn't mean you issuing CAs can't be Enterprise CAs (and that is a very common deployment).

yup I'm with you astorrs.

check this out though MS Press 70-299 pg 7-9 states:

The first step in deploying a PKI is to install a CA, and the first CA you install in your
organization must be a root CA. You can create two types of root CAs: enterprise and
standalone. In a nutshell, enterprise CAs require Active Directory. Because enterprise
CAs rely on Active Directory to store and replicate data, all enterprise CAs must also be
domain controllers.

Well crap, if that's true taking it offline is not gonna look pretty.

I kinda figured this was an error which lead to my confusion.

Thanks guys for clearing this up.[/u]

Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it...

Windows IT Pro wrote:

To begin installation of Certificate Services, log on to the server that will be a CA. For an enterprise CA or standalone CA, the server you select can be a member server (recommended) or a domain controller (DC—not recommended). For a standalone CA, the server can also be a workgroup server not joined to a domain. You must log on as a member of the Enterprise Admins group to install an enterprise CA and as a member of the Domain Admins group to install a standalone CA that will store certificates in AD. To install a standalone CA that won’t store its certificates in AD, you must be a member of the local Administrators group.

I've seen things like that other places as well and was under the impression that it could be installed on a member server or a DC. All my lab work was done on a DC, so I never had to deal with this. I'm going to try to lab this up tomorrow (I've been meaning to review my PKI material anyway).

Silver Bullet

It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

Here is a good link from technet that will help.

http://technet.microsoft.com/en-us/library/cc738786.aspx

Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.

Silver Bullet

dynamik wrote:

Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.

I was addressing the thread in general... not necessarily your post. I read your post.

To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine.

royal

Silver Bullet wrote:

To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine.

Silver Bullet wrote:

It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

Here is a good link from technet that will help.

http://technet.microsoft.com/en-us/library/cc738786.aspx

I feel like I keep needing to jump up and down here because it seems like people keep missing this.

If you want to take the CA offline to secure it, it should be a standalone CA.

Remeber best practice in a PKI heiarchy is to take any root or intermediate CAs offline leaving just your issuing CAs to handle client requests. This ensures the security of the PKI infrastructure and limits the damage a compromise of an online CA can have.

The why it should not be an Enterprise CA comes down to two reasons:

1. If you are planning on taking a CA offline, best practice is to put it in a workgroup and not in a domain. That way you don't have to deal with the computer account password expiring after 30 days and reseting it, etc if you need to bring the CA online later to add additional subordinate CAs. Since an Enterprise CA requires the computer to be in a domain your only choice is to create a standalone CA.

2. This is the big one. Lets say you have ignored this advice and created a two level CA heiarchy with Enterprise CAs at each level. You have then powered off the root Enterprise CA.

A user sends a digitally signed email from johndoe@us.company.com to janedoe@eu.company.com. When janedoe@eu.company.com receives the email her computer will attempt to walk the certificate chain up the hierarchy to asses the validity of the digital signature. Since the issuing CA is online this will be successful, it will then move up a level to the root CA, since this CA is offline the cert chain will be broken and validation will fail.

Had the root CA been a standalone CA the client will happily accept the fact that it cannot contact it, but it must (this is a Windows requirement) be able to contact an Enterprise CA for the certificate chain not to be broken.

Honestly the only time you want to be using an Enterprise Root CA is when you only have 1 CA in your entire PKI infrastructure (think SMB).

bertieb

astorrs wrote:

If you want to take the CA offline to secure it, it should be a standalone CA.

+1 to that.

Nicely described post astorrs, thanks.

blargoe

Another thing to keep in mind, and I've seen conflicting info on this too... if you want full functionality (certificate templates, I forget what else if anything), you have to install Enterprise Edition not Standard Edition.

-1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P

So basically in a "nutshell" and in the real world:

1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)

2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)

does this sound good guys?

kerbydogg wrote:

-1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P

So basically in a "nutshell" and in the real world:

1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)

2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)

does this sound good guys?

Yes, in a large organization you may have intermediate CAs that are also offline.

And like blargoe said there are differences between Standard and Enterprise versions of Windows Server 2003 when used as CAs:

Windows Server 2003, Enterprise Edition or Datacenter Edition
V2 templates: Supported on Enterprise CA only
Key archival and recovery: Supported
Auto-enrollment: Both user and computer certificates supported
Delta certificate revocation lists (CRLs): Supported
Qualified subordination: Supported
Role separation: Supported

Windows Server 2003, Standard Edition
V2 templates: Not supported
Key archival and recovery: Not supported
Auto-enrollment: Computer certificates supported
Delta certificate revocation lists (CRLs): Supported
Qualified subordination: Supported
Role separation: Not supported

Windows 2000 Server
V2 templates: Not supported
Key archival and recovery: Not supported
Auto-enrollment: Computer certificates supported
Delta certificate revocation lists (CRLs): Not supported
Qualified subordination: Not supported
Role separation: Not supported

Source: http://technet.microsoft.com/en-us/library/cc787550.aspx

astorrs wrote:

Silver Bullet wrote:

It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

Here is a good link from technet that will help.

http://technet.microsoft.com/en-us/library/cc738786.aspx

I feel like I keep needing to jump up and down here because it seems like people keep missing this.

Ah, I missed the "root" part. I thought he was just reaffirming the Windows IT Pro article where it said installing on a member server is a best practice.

Graham_84

Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it... ???

In response to that, i have always been taught never make a DC a root enterprise CA. As the root CA is designed to create subordinates then be taken offline. Due to tombstone lifetime after 60 days your DC is no longer authorised as a secure replication partner.

Graham_84 wrote:

Does an enterprise CA really have to be on a DC?

No it does not.

Certificate Services in Windows Server 2003 can (and should really) be installed on a member server.

Silver Bullet

OK, I just went and did a little review of PKI since it has been a while.

astorrs is right, if you plan to have an offline root CA, then it needs to be a standalone root CA. I apologize if I caused any confusion for anyone.

Here is the technet link that provides a checklist for creating an offline root CA if anyone is interested..

http://technet.microsoft.com/en-us/library/cc737834.aspx

HeroPsycho

So astorrs, what you're saying is make an enterprise root CA and take it offline, right?

teehee!

HeroPsycho wrote:

So astorrs, what you're saying is make an enterprise root CA and take it offline, right?

teehee!

royal

HeroPsycho

If I'm a firebreathing Hindu, then here's my theme song:

http://www.youtube.com/watch?v=ZA1NoOOoaNw

http://www.zazzle.com/benny+lava+gifts

HeroPsycho wrote:

If I'm a firebreathing Hindu, then here's my theme song:

http://www.youtube.com/watch?v=ZA1NoOOoaNw

Well in that case you need one of these, afterall it's W.B.L.W.D...

blargoe

My offline root CA is actually a Microsoft VM that is saved off in a secure place.

blargoe wrote:

My offline root CA is actually a Microsoft VM that is saved off in a secure place.

Yup that's pretty common these days. Burn it to a DVD (or a couple for redundancy) and stick it in a safety deposit box or vault.

royal

astorrs wrote:

blargoe wrote:

My offline root CA is actually a Microsoft VM that is saved off in a secure place.

Yup that's pretty common these days. Burn it to a DVD (or a couple for redundancy) and stick it in a safety deposit box or vault.

And include your Recovery Agent certificate that is installed on your 1st DC. Funny how most people don't know about this due to DCPromo not telling you anything about this certificate.

HeroPsycho

That's what I've done, too. Except I use a *real* virtualization product...

*cough* VMware *cough* :P

"What's VMware?"