CAs: Enterprise root on parent domain, subordinate on child domain

We want an infrastructure involving two CAs, an enterprise root CA on the

parent domain and a subordinate CA to do all the work on the child domain.

1. Right now we're decomissioning our Enterprise Root off of the PDC on our

Forest Root domain and want to create a brand new Enterprise Root CA on its

own server.

2. On the child domain we want to build a subordinate CA and do all of the

cert publishing off that box (nothing is on the parent domain which is also

the forest root).

3. After the subordinate CA is set up, we can just power off the Enterprise

root CA, correct? What about security updates?

4. What is the proper setup for this chain to work? Any special

considerations or "gotchas" we need to know about?

Thanks!

Re: Enterprise root on parent domain, subordinate on child domain

Almost.,

You want to deploy an offline root CA.

Check out the best practices white paper (www.microsoft.com/pki) or look at

getting a copy of the PKI book from MS Press (several threads on here

referencing it).

You cannot just power off an enterprise CA, as it is a member of the domain.

Only a standalone CA can be powered off as you require.

There are lots of little gotchas discussed in the two sources I provided.

Brian

"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message

news:DE798C53-68F9-4E2B-BE13-CA177D977D57@microsoft.com...<span style="color:blue">

> We want an infrastructure involving two CAs, an enterprise root CA on the

> parent domain and a subordinate CA to do all the work on the child domain.

>

> 1. Right now we're decomissioning our Enterprise Root off of the PDC on

> our

> Forest Root domain and want to create a brand new Enterprise Root CA on

> its

> own server.

>

> 2. On the child domain we want to build a subordinate CA and do all of the

> cert publishing off that box (nothing is on the parent domain which is

> also

> the forest root).

>

> 3. After the subordinate CA is set up, we can just power off the

> Enterprise

> root CA, correct? What about security updates?

>

> 4. What is the proper setup for this chain to work? Any special

> considerations or "gotchas" we need to know about?

>

> Thanks! </span>

On Thu, 20 Mar 2008 07:28:04 -0700, Mark Z. wrote:

<span style="color:blue">

>

> 3. After the subordinate CA is set up, we can just power off the Enterprise

> root CA, correct? What about security updates?</span>

Then you should be building a standalone root, not an enterprise root. As

far as security updates go, if you treat your standalone root correctly, in

that you never attach it to a network, it doesn't really need regular

updates. I'd suggest that you simply apply any service packs that are

available when you need to start it up to publish a new CRL.

<span style="color:blue">

>

> 4. What is the proper setup for this chain to work? Any special

> considerations or "gotchas" we need to know about?</span>

http://www.microsoft.com/pki

http://www.amazon.com/Microsoft-Windows-Se...y/dp/0735620210

--

Paul Adare

MVP - Virtual Machines

http://www.identit.ca

Programming is an unnatural act.