Taking enterprise root CA offline.

kerbydoggkerbydogg Member Posts: 41 ■■□□□□□□□□
Hi all a few questions,

In order to create an Enterprise Root CA it must be on a domain controller right?

If you have multiple domains (parent child) does it have to be a DC in the forest root?

And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?

Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.

My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?
WIP: can't decide.

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    kerbydogg wrote:
    In order to create an Enterprise Root CA it must be on a domain controller right?

    No, a member server is fine.
    kerbydogg wrote:
    If you have multiple domains (parent child) does it have to be a DC in the forest root?

    No.
    kerbydogg wrote:
    And say you create an enterprise root ca and create subordinate CAs, does the subordinate CAs need to be DCs as well?

    No.
    kerbydogg wrote:
    Ok so say I now have a root ca and an issuing ca. According to best practice I should take the root CA offline and power it down and make sure it is physically secure.

    Yes.
    kerbydogg wrote:
    My question is how would active directory respond to this missing DC? Will i keep getting messages in event log from NTDS and KCC that the domain controller is offline etc etc?

    Not well. That's why you should make the root a stand-alone CA.
  • kerbydoggkerbydogg Member Posts: 41 ■■□□□□□□□□
    lol thanks for the response dynamik

    ok i think i get it now.

    How about if i created a root standalone, take it offline and use an enterprise subordinate ca as an issuing ca.
    WIP: can't decide.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Time out.

    Don't take a root Enterprise CA offline or you will have problems.

    In fact if you plan on having more than one tier of CAs your root CA should be a Standalone CA so you can do exactly that (take it offline).

    Just because your root CA is standalone, doesn't mean you issuing CAs can't be Enterprise CAs (and that is a very common deployment).
  • kerbydoggkerbydogg Member Posts: 41 ■■□□□□□□□□
    yup I'm with you astorrs.

    check this out though MS Press 70-299 pg 7-9 states:

    The first step in deploying a PKI is to install a CA, and the first CA you install in your
    organization must be a root CA. You can create two types of root CAs: enterprise and
    standalone. In a nutshell, enterprise CAs require Active Directory. Because enterprise
    CAs rely on Active Directory to store and replicate data, all enterprise CAs must also be
    domain controllers.


    Well crap, if that's true taking it offline is not gonna look pretty.

    I kinda figured this was an error which lead to my confusion.

    Thanks guys for clearing this up.[/u]
    WIP: can't decide.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it...
    To begin installation of Certificate Services, log on to the server that will be a CA. For an enterprise CA or standalone CA, the server you select can be a member server (recommended) or a domain controller (DC—not recommended). For a standalone CA, the server can also be a workgroup server not joined to a domain. You must log on as a member of the Enterprise Admins group to install an enterprise CA and as a member of the Domain Admins group to install a standalone CA that will store certificates in AD. To install a standalone CA that won’t store its certificates in AD, you must be a member of the local Administrators group.

    I've seen things like that other places as well and was under the impression that it could be installed on a member server or a DC. All my lab work was done on a DC, so I never had to deal with this. I'm going to try to lab this up tomorrow (I've been meaning to review my PKI material anyway).
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

    Here is a good link from technet that will help.

    http://technet.microsoft.com/en-us/library/cc738786.aspx
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    dynamik wrote:
    Yea, I understand that (I said that earlier), but I was wondering if you had to install an Enterprise CA on a DC. I was under the impression that you could put it on a member server, but his quote from the book states that it can only be on a DC.

    I was addressing the thread in general... not necessarily your post. I read your post. icon_wink.gif

    To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    To have an Enterprise root CA, Active Directory is required, but the Enterprise Root CA doesn't have to be installed on a DC... a member server will work fine.

    +1
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

    Here is a good link from technet that will help.

    http://technet.microsoft.com/en-us/library/cc738786.aspx
    I feel like I keep needing to jump up and down here because it seems like people keep missing this.

    If you want to take the CA offline to secure it, it should be a standalone CA.

    Remeber best practice in a PKI heiarchy is to take any root or intermediate CAs offline leaving just your issuing CAs to handle client requests. This ensures the security of the PKI infrastructure and limits the damage a compromise of an online CA can have.

    The why it should not be an Enterprise CA comes down to two reasons:

    1. If you are planning on taking a CA offline, best practice is to put it in a workgroup and not in a domain. That way you don't have to deal with the computer account password expiring after 30 days and reseting it, etc if you need to bring the CA online later to add additional subordinate CAs. Since an Enterprise CA requires the computer to be in a domain your only choice is to create a standalone CA.

    2. This is the big one. Lets say you have ignored this advice and created a two level CA heiarchy with Enterprise CAs at each level. You have then powered off the root Enterprise CA.

    A user sends a digitally signed email from johndoe@us.company.com to janedoe@eu.company.com. When janedoe@eu.company.com receives the email her computer will attempt to walk the certificate chain up the hierarchy to asses the validity of the digital signature. Since the issuing CA is online this will be successful, it will then move up a level to the root CA, since this CA is offline the cert chain will be broken and validation will fail.

    Had the root CA been a standalone CA the client will happily accept the fact that it cannot contact it, but it must (this is a Windows requirement) be able to contact an Enterprise CA for the certificate chain not to be broken.

    Honestly the only time you want to be using an Enterprise Root CA is when you only have 1 CA in your entire PKI infrastructure (think SMB).
  • bertiebbertieb Member Posts: 1,031 ■■■■■■□□□□
    astorrs wrote:
    If you want to take the CA offline to secure it, it should be a standalone CA.

    +1 to that.

    Nicely described post astorrs, thanks.
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Another thing to keep in mind, and I've seen conflicting info on this too... if you want full functionality (certificate templates, I forget what else if anything), you have to install Enterprise Edition not Standard Edition.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • kerbydoggkerbydogg Member Posts: 41 ■■□□□□□□□□
    -1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P

    So basically in a "nutshell" and in the real world:

    1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)

    2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)

    does this sound good guys?
    WIP: can't decide.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    kerbydogg wrote:
    -1 to MS PRESS for giving me bad info and making me waste time on stuff I thought i understood. =P

    So basically in a "nutshell" and in the real world:

    1. install a stand alone CA root, does not have to join your domain (which you will take offline and hide somewhere)

    2. if you want to ease administration and certs will be used internally within your organization, create a subordinate Enterprise CA that will be issuing certs. (does need to be joined to domain but not necessarily a DC)

    does this sound good guys?
    Yes, in a large organization you may have intermediate CAs that are also offline.

    And like blargoe said there are differences between Standard and Enterprise versions of Windows Server 2003 when used as CAs:

    Windows Server 2003, Enterprise Edition or Datacenter Edition
    V2 templates: Supported on Enterprise CA only
    Key archival and recovery: Supported
    Auto-enrollment: Both user and computer certificates supported
    Delta certificate revocation lists (CRLs): Supported
    Qualified subordination: Supported
    Role separation: Supported

    Windows Server 2003, Standard Edition
    V2 templates: Not supported
    Key archival and recovery: Not supported
    Auto-enrollment: Computer certificates supported
    Delta certificate revocation lists (CRLs): Supported
    Qualified subordination: Supported
    Role separation: Not supported

    Windows 2000 Server
    V2 templates: Not supported
    Key archival and recovery: Not supported
    Auto-enrollment: Computer certificates supported
    Delta certificate revocation lists (CRLs): Not supported
    Qualified subordination: Not supported
    Role separation: Not supported

    Source: http://technet.microsoft.com/en-us/library/cc787550.aspx
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    astorrs wrote:
    It is best practice to make a member server your Enterprise root CA and then take it offline once you have an Enterprise Subordinate CA online and capable of issuing certs.

    Here is a good link from technet that will help.

    http://technet.microsoft.com/en-us/library/cc738786.aspx
    I feel like I keep needing to jump up and down here because it seems like people keep missing this.

    Ah, I missed the "root" part. I thought he was just reaffirming the Windows IT Pro article where it said installing on a member server is a best practice.
  • Graham_84Graham_84 Member Posts: 85 ■■□□□□□□□□
    Does an enterprise CA really have to be on a DC? I haven't found a clear answer on Technet. I'm probably just missing it... ???

    In response to that, i have always been taught never make a DC a root enterprise CA. As the root CA is designed to create subordinates then be taken offline. Due to tombstone lifetime after 60 days your DC is no longer authorised as a secure replication partner.
    Currently having a break after the MCITP:EA. Citrix or Cisco next, not sure!
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Graham_84 wrote:
    Does an enterprise CA really have to be on a DC?
    No it does not.

    Certificate Services in Windows Server 2003 can (and should really) be installed on a member server.
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    OK, I just went and did a little review of PKI since it has been a while.

    astorrs is right, if you plan to have an offline root CA, then it needs to be a standalone root CA. I apologize if I caused any confusion for anyone.

    Here is the technet link that provides a checklist for creating an offline root CA if anyone is interested..

    http://technet.microsoft.com/en-us/library/cc737834.aspx
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    So astorrs, what you're saying is make an enterprise root CA and take it offline, right? icon_twisted.gif

    teehee!
    Good luck to all!
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    HeroPsycho wrote:
    So astorrs, what you're saying is make an enterprise root CA and take it offline, right? icon_twisted.gif

    teehee!
    streetfighteriihyperfigph4.jpg
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    awesome.jpg
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    If I'm a firebreathing Hindu, then here's my theme song:

    http://www.youtube.com/watch?v=ZA1NoOOoaNw
    Good luck to all!
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    HeroPsycho wrote:
    If I'm a firebreathing Hindu, then here's my theme song:

    http://www.youtube.com/watch?v=ZA1NoOOoaNw
    Well in that case you need one of these, afterall it's W.B.L.W.D...

    benny_lava_shirt-p235066852757666760frp_400.jpg

    http://www.zazzle.com/benny+lava+gifts
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    My offline root CA is actually a Microsoft VM that is saved off in a secure place.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    blargoe wrote:
    My offline root CA is actually a Microsoft VM that is saved off in a secure place.
    Yup that's pretty common these days. Burn it to a DVD (or a couple for redundancy) and stick it in a safety deposit box or vault.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    astorrs wrote:
    blargoe wrote:
    My offline root CA is actually a Microsoft VM that is saved off in a secure place.
    Yup that's pretty common these days. Burn it to a DVD (or a couple for redundancy) and stick it in a safety deposit box or vault.

    And include your Recovery Agent certificate that is installed on your 1st DC. Funny how most people don't know about this due to DCPromo not telling you anything about this certificate.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    That's what I've done, too. Except I use a *real* virtualization product...

    *cough* VMware *cough* :P
    Good luck to all!
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
  • kerbydoggkerbydogg Member Posts: 41 ■■□□□□□□□□
    I think I have A.D.D. or something.

    During these MS tests I space out half way thru and start daydreaming. Then I have to rush to finish it... LOL

    Anyway passed 298/299

    Thanks for the PKI infos all. icon_lol.gif
    WIP: can't decide.
Sign In or Register to comment.