CAs: Enterprise root on parent domain, subordinate on child domain

  • Thread starter Thread starter Mark Z.
  • Start date Start date
M

Mark Z.

We want an infrastructure involving two CAs, an enterprise root CA on the
parent domain and a subordinate CA to do all the work on the child domain.

1. Right now we're decomissioning our Enterprise Root off of the PDC on our
Forest Root domain and want to create a brand new Enterprise Root CA on its
own server.

2. On the child domain we want to build a subordinate CA and do all of the
cert publishing off that box (nothing is on the parent domain which is also
the forest root).

3. After the subordinate CA is set up, we can just power off the Enterprise
root CA, correct? What about security updates?

4. What is the proper setup for this chain to work? Any special
considerations or "gotchas" we need to know about?

Thanks!
 
Re: Enterprise root on parent domain, subordinate on child domain

Almost.,
You want to deploy an offline root CA.
Check out the best practices white paper (www.microsoft.com/pki) or look at
getting a copy of the PKI book from MS Press (several threads on here
referencing it).
You cannot just power off an enterprise CA, as it is a member of the domain.
Only a standalone CA can be powered off as you require.
There are lots of little gotchas discussed in the two sources I provided.
Brian

"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:DE798C53-68F9-4E2B-BE13-CA177D977D57@microsoft.com...
> We want an infrastructure involving two CAs, an enterprise root CA on the
> parent domain and a subordinate CA to do all the work on the child domain.
>
> 1. Right now we're decomissioning our Enterprise Root off of the PDC on
> our
> Forest Root domain and want to create a brand new Enterprise Root CA on
> its
> own server.
>
> 2. On the child domain we want to build a subordinate CA and do all of the
> cert publishing off that box (nothing is on the parent domain which is
> also
> the forest root).
>
> 3. After the subordinate CA is set up, we can just power off the
> Enterprise
> root CA, correct? What about security updates?
>
> 4. What is the proper setup for this chain to work? Any special
> considerations or "gotchas" we need to know about?
>
> Thanks!
 
On Thu, 20 Mar 2008 07:28:04 -0700, Mark Z. wrote:



>
> 3. After the subordinate CA is set up, we can just power off the Enterprise
> root CA, correct? What about security updates?

Then you should be building a standalone root, not an enterprise root. As
far as security updates go, if you treat your standalone root correctly, in
that you never attach it to a network, it doesn't really need regular
updates. I'd suggest that you simply apply any service packs that are
available when you need to start it up to publish a new CRL.

>
> 4. What is the proper setup for this chain to work? Any special
> considerations or "gotchas" we need to know about?

http://www.microsoft.com/pki

http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp/0735620210


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Programming is an unnatural act.
 
Back
Top