Enterprise and Stand alone Root CA's - HELP

kamikaze_wormkamikaze_worm Member Posts: 68 ■■□□□□□□□□
HI All

I am now at the stage of taking practice exams for 298 after completing all the study, however one question keeps rearing its head and getting me so some help please.

When i did my study I learn't that in a PKI heriechy you should take the root offline to secure the infrastructure, however it Should NOT be an enterprise root as it is not a good idea to take that offline. I thought it should be a standalone root CA.

In transcender there are questions I have answer based on this theory but they are wrong. The answer is telling me (most of the time) to take the enterprise root offline and delpoy subordinate enterprise CA's

I'm very :S

My Exam is not far away, Any Ideas?

Kamikaze_worm
IT Desktop Support Technician
Comptia Exams passed - A+
Microsoft Exams Passed - 270, 290, 291, 620, 293, 294
Qualifications - MCP, MCTS, MCSA
Working towards - MCSE
Currently Studying - 298

Comments

  • hyperrawr9000hyperrawr9000 Member Posts: 39 ■■□□□□□□□□
    Im not an expert but i believe that you use enterprise CAs internally and use standalone for stuff that would go between organizations. If you use enterprise subordinates you have to have an enterprise root. Also Stand alone CAs cant do everything that Enterprise ones can so make sure that the purpose of the CA doesnt require it to be part of a domain. Unfortunately i dont remember the specifics of what the enterprise ones can do compared to standalone but i believe its stuff that requires it to be part of a domain

    Also I thought it was recommended to take offline all root CAs unless there is a specific requirement that requires it to be online.
  • Jarhead2011Jarhead2011 Member Posts: 89 ■■□□□□□□□□
    you dont necessarily have to have a enterprise root CA if you have a sub enterprise CA. As far as I know best practice according to multiple resources best practice is to have a Stand alone root CA and sub enterprise CA, if you have and AD domain. If you have a enterprise root CA then it can't be offline for more than 60 days or so, because AD will pick that the computer account is no longer active.
    "Getting information off the internet is like drinking water from a fire hydrant" - Michell Kapor
    2013/2014 Certifications
    CCNA R&S Project Management SQL 2008/2012
    Currently Reading: Network Warrior 2nd Ed.


  • hyperrawr9000hyperrawr9000 Member Posts: 39 ■■□□□□□□□□
    I did not know that, thanks for clarifying!
  • RomBUSRomBUS Member Posts: 699 ■■■■□□□□□□
    I thought the best practice model was for

    Stand alone root CA (only online to update CRL at times) -> Enterprise subordinate (for CA policies) -> Enterprise subordinates (for issuing certificates)

    I may be wrong
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    According to James Conrad, the reason that you make the Root CA a standalone CA is so that you can take it offline. The CA's underneath won't care if it is there or not.


    Enterprise CA's are part of the domain and thus have domain computer accounts. Remember that the computer has a password that needs to be changed every 30 days. If you leave your enterprise CA offline for more than 30 days then the password is going to expire and you will probably need to reset the computer account in Active Directory.

    The ideal situation to shoot for is two levels of standalone CA's that remain offline and then your issuing CA's to be on the third level and be configured as enterprise CA's and remain online. But remember that ideal situations aren't always present in real life and thus aren't presented on the exam. If your manager tells you that the budget only allows two levels of CA's, then you can preach best practices until you are blue in the face but you are still going to need to implement a infrastructure that only is two levels and still make it as secure as possible.

    And I do swear by Transcender, but nobody is perfect. I have found 2 mistakes with their questions in the 6 or 7 different exam packs that I have used. Use the feedback to submit your claim. Maybe they are wrong (and will admit to that), but at the very least you will get a reply back from George or someone explaining why they believe the question is correct.
    Decide what to be and go be it.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    http://www.techexams.net/forums/mcsa-mcse-security/36696-taking-enterprise-root-ca-offline.html

    Here is an older thread, but there is some good discussion on the subject of CA's. And here is a technet document.

    http://technet.microsoft.com/en-us/library/cc737834(WS.10).aspx
    Decide what to be and go be it.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    I read the 70-299 book and there were a couple chapters on certificates and CA's. They explained some differences between Enterprise and Standalone, but they never went into too much details about when to use a standalone. It was very one sided with all of the features that enterprise provides. Maybe MS just wants to sell more copies of Enterprise and Datacenter server?

    The 298 being a design exam I would expect to get into more details on that, but maybe there is the same slant there too.
    Decide what to be and go be it.
  • Shadly1Shadly1 Member Posts: 96 ■■□□□□□□□□
    I just got through that part in the Self-Paced Training Kit. What I gathered, from a security standpoint, is just plain DON'T create an Enterprise Root. Good security is to make it standalone so you can lock it in a vault for long periods of time... and not the same vault you store your backup tapes in.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Shadly1 wrote: »
    I just got through that part in the Self-Paced Training Kit. What I gathered, from a security standpoint, is just plain DON'T create an Enterprise Root. Good security is to make it standalone so you can lock it in a vault for long periods of time... and not the same vault you store your backup tapes in.

    I agree with this, but the test might not. Don't rule out an answer just because it uses an enterprise root, always read the question or the case study if it is for the 298.

    If it's going offline, then it should be standalone. Even the test should agree with that.
    Decide what to be and go be it.
  • Shadly1Shadly1 Member Posts: 96 ■■□□□□□□□□
    Devilsbane wrote: »
    I agree with this, but the test might not. Don't rule out an answer just because it uses an enterprise root, always read the question or the case study if it is for the 298.

    If it's going offline, then it should be standalone. Even the test should agree with that.
    Yeah, I found a couple of examples of enterprise roots in my study materials. They don't go into too much detail about why. All I can guess is that it was a single CA to start with and has grown to require subordinates? Doesn't matter that much. I just have to pay attention to the wording. I know it's good security to have offline root/online enterprise subordinates but it's not always what's out there.
  • Todd BurrellTodd Burrell Member Posts: 280
    You also need to know the differences between an enterprise and stand alone based on what the functions need to be. I don't remember the details, but I seem to remember that a stand alone cannot use templates, etc... If you know these differences then you should be fine - just know what types of certs each can give out. I have seen questions that based the answer based on what types of functions/certs were to be distributed.
Sign In or Register to comment.