70-298 CA Question
Daniel333
Member Posts: 2,077 ■■■■■■□□□□
Hey guys, just studying for my 70-298 while I build up the nerve to go back to my CCNP.
My vtc.com training video just told me to take my enterprise root offline once I have establishing enterprise subordinate CAs. Last I checked… won’t that expire the computer account and the trust the subordinates have for the root? Or am I completely off here.
Thanks,
My vtc.com training video just told me to take my enterprise root offline once I have establishing enterprise subordinate CAs. Last I checked… won’t that expire the computer account and the trust the subordinates have for the root? Or am I completely off here.
Thanks,
-Daniel
Comments
I don't believe so. You can take the Root CA offline by just disconnecting the network cable, or shutting down the certificate services. You don't have to power it off.
Server 2003 has Enterprise CA's integrated into AD and they use cert templates, and publish their info into AD.
The standalone CA's store their info locally. Any requests for certs must be manually approve or deny any requests.
This is a very valid point. The use of s standalone CAs is really only in the most secure environments. If you are using a standalone you can lock the root up someplace.
In a small environment the root CA may simply have the service disabled. Or, like at my current job where we issue web server certs regularly, we just leave it on. It's also a DC. We just don't have the resources for a full blown PKI, nor the need. Our entire AD could be wiped out and we could have things back up and running within 24 hours with minimal user inconvenience (yes, I said it). So security is not that great of a priority to us.
In small/medium shops that use intermediate CAs what I tend to see is the CA infrastructure being on a secured VLAN. The root CA is still online, but the service disabled.
I cannot give any practical insight into large scale, enterprise environments.
The tricky part with PKI is lifetime of certs. A CA cannot issue certificates with lifespans longer than its own certificate. So, if you want to issue certificates that last a year, you always need at least one year of life in your subordinate's cert. So, perhaps two years for it, and then renew it annually. The root would likely need to be 5+ years.
+Rep for pointing that out. Much easier to do this now with VMs.
Your root CA should be a standalone. Once you issue certificates to your intermediate CA's you should bring the root down (Either by stopping the service, shutting the server down/unplugging it, or pulling the HDD).
Your intermediate CA's should also be standalone, and again, once they issue certificates to your Issuing CA's should be taken offline.
Your issuing CA's should be Enterprise CA's and you will probably want to set up auto-enrollment on them. These will have to stay online.
Keep in mind that the above is just what James Conrad suggested. If you wanted to, you could make your root CA an enterprise CA and leave it online 24/7 and take the security risk. Or maybe you feel that a 2 tiered approach is more appropriate since you don't issue a lot of CA's. There is no right way to do things.