is it true...

[Gunna]

that an Enterprise Root CA has to be a domain controller? What about
subordinates?

 

[Paul Adare]

On Tue, 8 Apr 2008 17:18:04 -0700, Gunna wrote:

> that an Enterprise Root CA has to be a domain controller? What about
> subordinates?

Absolutely not true. In fact, if you follow good security practices where
you want to reduce the attack surface on your core infrastructure servers,
a domain controller should only ever be a domain controller, and a CA
should only ever be a CA.

--
Paul Adare
http://www.identit.ca
Shift to the left! Shift to the right! Pop up, push down, byte, byte,
byte!

 

[Dobromir Todorov]

.... plus following the same good security practices, your Root CA should be
offline, while an offline domain controller isn't any good nowadays...

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"Paul Adare" <pkadare@gmail.com> wrote in message
news:1tj95axsmmjus.1997pdyfpo2mj.dlg@40tude.net...
> On Tue, 8 Apr 2008 17:18:04 -0700, Gunna wrote:
>
>> that an Enterprise Root CA has to be a domain controller? What about
>> subordinates?
>
> Absolutely not true. In fact, if you follow good security practices where
> you want to reduce the attack surface on your core infrastructure servers,
> a domain controller should only ever be a domain controller, and a CA
> should only ever be a CA.
>
> --
> Paul Adare
> http://www.identit.ca
> Shift to the left! Shift to the right! Pop up, push down, byte, byte,
> byte!