CAs: Enterprise root on parent domain, subordinate on child domain

M

Mark Z.

We want an infrastructure involving two CAs, an enterprise root CA on the
parent domain and a subordinate CA to do all the work on the child domain.

1. Right now we're decomissioning our Enterprise Root off of the PDC on our
Forest Root domain and want to create a brand new Enterprise Root CA on its
own server.

2. On the child domain we want to build a subordinate CA and do all of the
cert publishing off that box (nothing is on the parent domain which is also
the forest root).

3. After the subordinate CA is set up, we can just power off the Enterprise
root CA, correct? What about security updates?

4. What is the proper setup for this chain to work? Any special
considerations or "gotchas" we need to know about?

Thanks!
 
B

Brian Komar \(MVP\)

Re: Enterprise root on parent domain, subordinate on child domain

Almost.,
You want to deploy an offline root CA.
Check out the best practices white paper (www.microsoft.com/pki) or look at
getting a copy of the PKI book from MS Press (several threads on here
referencing it).
You cannot just power off an enterprise CA, as it is a member of the domain.
Only a standalone CA can be powered off as you require.
There are lots of little gotchas discussed in the two sources I provided.
Brian

"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:DE798C53-68F9-4E2B-BE13-CA177D977D57@microsoft.com...
> We want an infrastructure involving two CAs, an enterprise root CA on the
> parent domain and a subordinate CA to do all the work on the child domain.
>
> 1. Right now we're decomissioning our Enterprise Root off of the PDC on
> our
> Forest Root domain and want to create a brand new Enterprise Root CA on
> its
> own server.
>
> 2. On the child domain we want to build a subordinate CA and do all of the
> cert publishing off that box (nothing is on the parent domain which is
> also
> the forest root).
>
> 3. After the subordinate CA is set up, we can just power off the
> Enterprise
> root CA, correct? What about security updates?
>
> 4. What is the proper setup for this chain to work? Any special
> considerations or "gotchas" we need to know about?
>
> Thanks!
 
P

Paul Adare

On Thu, 20 Mar 2008 07:28:04 -0700, Mark Z. wrote:



>
> 3. After the subordinate CA is set up, we can just power off the Enterprise
> root CA, correct? What about security updates?

Then you should be building a standalone root, not an enterprise root. As
far as security updates go, if you treat your standalone root correctly, in
that you never attach it to a network, it doesn't really need regular
updates. I'd suggest that you simply apply any service packs that are
available when you need to start it up to publish a new CRL.

>
> 4. What is the proper setup for this chain to work? Any special
> considerations or "gotchas" we need to know about?

http://www.microsoft.com/pki

http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp/0735620210


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Programming is an unnatural act.
 
You must log in or register to reply here.

Similar threads

I
Automatic installation of an Enterprise CA on domain-joined workstations
Replies
0
Views
51
imprise
I
L
Need help with Certificate Authority and cannot Submit a Certificate Request, bad Pki entries in my domain??
Replies
0
Views
312
LeeJohnson7
L
J
  • Article
Leading change: How industries are partnering with Microsoft to empower their teams and serve customers through uncertainty
Replies
0
Views
422
Judson Althoff
J
S
Security Advisory ADV190023 effect on non-domain appliances using LDAP queries against Windows domain controllers
Replies
0
Views
282
Senor Foglia
S
C
3rd party Certs in RDP
Replies
0
Views
223
Craigbon
C
Back
Top Bottom