Enterprise and Stand alone Root CA's - HELP

HI All

I am now at the stage of taking practice exams for 298 after completing all the study, however one question keeps rearing its head and getting me so some help please.

When i did my study I learn't that in a PKI heriechy you should take the root offline to secure the infrastructure, however it Should NOT be an enterprise root as it is not a good idea to take that offline. I thought it should be a standalone root CA.

In transcender there are questions I have answer based on this theory but they are wrong. The answer is telling me (most of the time) to take the enterprise root offline and delpoy subordinate enterprise CA's

I'm very :S

My Exam is not far away, Any Ideas?

Kamikaze_worm

Find more posts tagged with

Comments

hyperrawr9000

Im not an expert but i believe that you use enterprise CAs internally and use standalone for stuff that would go between organizations. If you use enterprise subordinates you have to have an enterprise root. Also Stand alone CAs cant do everything that Enterprise ones can so make sure that the purpose of the CA doesnt require it to be part of a domain. Unfortunately i dont remember the specifics of what the enterprise ones can do compared to standalone but i believe its stuff that requires it to be part of a domain

Also I thought it was recommended to take offline all root CAs unless there is a specific requirement that requires it to be online.

Jarhead2011

you dont necessarily have to have a enterprise root CA if you have a sub enterprise CA. As far as I know best practice according to multiple resources best practice is to have a Stand alone root CA and sub enterprise CA, if you have and AD domain. If you have a enterprise root CA then it can't be offline for more than 60 days or so, because AD will pick that the computer account is no longer active.

hyperrawr9000

I did not know that, thanks for clarifying!

RomBUS

I thought the best practice model was for

Stand alone root CA (only online to update CRL at times) -> Enterprise subordinate (for CA policies) -> Enterprise subordinates (for issuing certificates)

I may be wrong

Devilsbane

According to James Conrad, the reason that you make the Root CA a standalone CA is so that you can take it offline. The CA's underneath won't care if it is there or not.

Enterprise CA's are part of the domain and thus have domain computer accounts. Remember that the computer has a password that needs to be changed every 30 days. If you leave your enterprise CA offline for more than 30 days then the password is going to expire and you will probably need to reset the computer account in Active Directory.

The ideal situation to shoot for is two levels of standalone CA's that remain offline and then your issuing CA's to be on the third level and be configured as enterprise CA's and remain online. But remember that ideal situations aren't always present in real life and thus aren't presented on the exam. If your manager tells you that the budget only allows two levels of CA's, then you can preach best practices until you are blue in the face but you are still going to need to implement a infrastructure that only is two levels and still make it as secure as possible.

And I do swear by Transcender, but nobody is perfect. I have found 2 mistakes with their questions in the 6 or 7 different exam packs that I have used. Use the feedback to submit your claim. Maybe they are wrong (and will admit to that), but at the very least you will get a reply back from George or someone explaining why they believe the question is correct.

Devilsbane

http://www.techexams.net/forums/mcsa-mcse-security/36696-taking-enterprise-root-ca-offline.html

Here is an older thread, but there is some good discussion on the subject of CA's. And here is a technet document.

http://technet.microsoft.com/en-us/library/cc737834(WS.10).aspx

Devilsbane

I read the 70-299 book and there were a couple chapters on certificates and CA's. They explained some differences between Enterprise and Standalone, but they never went into too much details about when to use a standalone. It was very one sided with all of the features that enterprise provides. Maybe MS just wants to sell more copies of Enterprise and Datacenter server?

The 298 being a design exam I would expect to get into more details on that, but maybe there is the same slant there too.

Shadly1

I just got through that part in the Self-Paced Training Kit. What I gathered, from a security standpoint, is just plain DON'T create an Enterprise Root. Good security is to make it standalone so you can lock it in a vault for long periods of time... and not the same vault you store your backup tapes in.

Devilsbane

Shadly1 wrote: »

I just got through that part in the Self-Paced Training Kit. What I gathered, from a security standpoint, is just plain DON'T create an Enterprise Root. Good security is to make it standalone so you can lock it in a vault for long periods of time... and not the same vault you store your backup tapes in.

I agree with this, but the test might not. Don't rule out an answer just because it uses an enterprise root, always read the question or the case study if it is for the 298.

If it's going offline, then it should be standalone. Even the test should agree with that.

Shadly1

Devilsbane wrote: »

I agree with this, but the test might not. Don't rule out an answer just because it uses an enterprise root, always read the question or the case study if it is for the 298.

If it's going offline, then it should be standalone. Even the test should agree with that.

Yeah, I found a couple of examples of enterprise roots in my study materials. They don't go into too much detail about why. All I can guess is that it was a single CA to start with and has grown to require subordinates? Doesn't matter that much. I just have to pay attention to the wording. I know it's good security to have offline root/online enterprise subordinates but it's not always what's out there.

Todd Burrell

You also need to know the differences between an enterprise and stand alone based on what the functions need to be. I don't remember the details, but I seem to remember that a stand alone cannot use templates, etc... If you know these differences then you should be fine - just know what types of certs each can give out. I have seen questions that based the answer based on what types of functions/certs were to be distributed.