70-298 CA Question

Hey guys, just studying for my 70-298 while I build up the nerve to go back to my CCNP.

My vtc.com training video just told me to take my enterprise root offline once I have establishing enterprise subordinate CAs. Last I checked… won’t that expire the computer account and the trust the subordinates have for the root? Or am I completely off here.

Thanks,

Find more posts tagged with

Comments

Psoasman

If I remember right, you take the root CA offline to minimize any chances of it being comprised. If it was comprised, any certs issued to the subordinate CA's and clients would have to be revoked for security reasons. Many companies keep theirs offline and only bring it up to issue new certs to the subordinate CA's.

Daniel333

So if I turn the server off, and toss it in a safe. Won't the computer account expire in 30 days or so? bringing down the PKI?

earweed

I'm not sure how you do it with Server 2003 but with server 2008 the root CA is a standalone CA. AD DS membership is not a requirement so I don't think it has an account that will expire. The subordinates are also given very long lived certificates so that the root doesn't have to be brought out very often.

Psoasman

Daniel333 wrote: »

So if I turn the server off, and toss it in a safe. Won't the computer account expire in 30 days or so? bringing down the PKI?

I don't believe so. You can take the Root CA offline by just disconnecting the network cable, or shutting down the certificate services. You don't have to power it off.

Psoasman

earweed wrote: »

I'm not sure how you do it with Server 2003 but with server 2008 the root CA is a standalone CA. AD DS membership is not a requirement so I don't think it has an account that will expire. The subordinates are also given very long lived certificates so that the root doesn't have to be brought out very often.

Server 2003 has Enterprise CA's integrated into AD and they use cert templates, and publish their info into AD.

The standalone CA's store their info locally. Any requests for certs must be manually approve or deny any requests.

RobertKaucher

Psoasman wrote: »

Server 2003 has Enterprise CA's integrated into AD and they use cert templates, and publish their info into AD.

The standalone CA's store their info locally. Any requests for certs must be manually approve or deny any requests.

This is a very valid point. The use of s standalone CAs is really only in the most secure environments. If you are using a standalone you can lock the root up someplace.

In a small environment the root CA may simply have the service disabled. Or, like at my current job where we issue web server certs regularly, we just leave it on. It's also a DC. We just don't have the resources for a full blown PKI, nor the need. Our entire AD could be wiped out and we could have things back up and running within 24 hours with minimal user inconvenience (yes, I said it). So security is not that great of a priority to us.

In small/medium shops that use intermediate CAs what I tend to see is the CA infrastructure being on a secured VLAN. The root CA is still online, but the service disabled.

I cannot give any practical insight into large scale, enterprise environments.

powerfool

If you are going through the trouble of implementing a PKI environment, you are either full of free time or you have a significant reason to do so. That being said, the best practice is you use a standalone CA root with enterprise subordinate CAs and take the root offline.

The tricky part with PKI is lifetime of certs. A CA cannot issue certificates with lifespans longer than its own certificate. So, if you want to issue certificates that last a year, you always need at least one year of life in your subordinate's cert. So, perhaps two years for it, and then renew it annually. The root would likely need to be 5+ years.

RobertKaucher

powerfool wrote: »

... That being said, the best practice is you use a standalone CA root with enterprise subordinate CAs and take the root offline.

+Rep for pointing that out. Much easier to do this now with VMs.

Devilsbane

I recently watched the nuggets for the 293 and this is what I learned.

Your root CA should be a standalone. Once you issue certificates to your intermediate CA's you should bring the root down (Either by stopping the service, shutting the server down/unplugging it, or pulling the HDD).

Your intermediate CA's should also be standalone, and again, once they issue certificates to your Issuing CA's should be taken offline.

Your issuing CA's should be Enterprise CA's and you will probably want to set up auto-enrollment on them. These will have to stay online.

Keep in mind that the above is just what James Conrad suggested. If you wanted to, you could make your root CA an enterprise CA and leave it online 24/7 and take the security risk. Or maybe you feel that a 2 tiered approach is more appropriate since you don't issue a lot of CA's. There is no right way to do things.