Jump to content

Convert Enterprise Root CA to Standalone Root CA and create newSubordinate CAs

Guest Chris Morley

By Guest Chris Morley
in Techno Babble

 Share

Recommended Posts

Guest Chris Morley

Guest Chris Morley

Posted
Posted

Hi, my existing setup is/was simple. Had a single site active

directory for 30 users and an exchange server.

 

All computer workstation identification certs were pushed out via

autoenrollment and as such they trust the root CA which was the one to

issue the certificates.

 

As i will now have a number of sites i think it would be prudent to

have subordinate CAs at each remote location to issue certificates

there.

 

My question is, how would this affect the current computers having the

existing CA where it is directly issued from the enterprise root,

compared to other computers who were issued via the subordinate CA

when i get them running? Im guessing not much, since all computers

will trust the root anyway through thet certificate tree? Only down

side is if the root got comprimised in this scenario since they would

still trust it.

 

To aid my understanding, do enterprise root CA issue certificates to

workstations by default? Im guessing not, since i had to create a

workstation identification template.

 

How could i ensure in future that the root CA only issues certificates

for other subordinate CA's and NOT workstations? Would this be through

the certificate management mmc console? Is this controlled by active

directory GPO or some other setting?

 

What is the purpose of having a root enterprise CA and subordinate

enterprise CA? I cant see much benefit and indeedd maybe this is less

secure as the root is online... this is fine for small networks but i

have found may no longer be ideal for me.

 

Can active directory automatically publish the revocation list to http

for it to check? Do i need to have IIS running on the server? I see

the url for revocation checking but when i type it in in my browser i

get a blank page again i presume because IIS is not running.

 

Finally, given the site links are expanding, Is it possible to move my

existing enterprise root CA to a standalone root CA, and then create

multiple subordinate CAs to issue certs on the clients behalf? This

would be the ideal setup as a managed upgrading process. Can i move

the root enterprise CA to an offline root CA?

 

Many thanks in advance,

 

Chris

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Paul Adare

Guest Paul Adare

Posted
Posted

Re: Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

 

On Tue, 18 Mar 2008 22:45:03 -0700 (PDT), Chris Morley wrote:

<span style="color:blue">

> Hi, my existing setup is/was simple. Had a single site active

> directory for 30 users and an exchange server.

>

> All computer workstation identification certs were pushed out via

> autoenrollment and as such they trust the root CA which was the one to

> issue the certificates.</span>

 

This is not why they trust the root. They trust the root because the root

CA is an Enterprise root which means its CA certificate gets published to

Active Directory and gets installed in the Trusted Root store on client

computers in the forest through Group Policy.<span style="color:blue">

>

> As i will now have a number of sites i think it would be prudent to

> have subordinate CAs at each remote location to issue certificates

> there.

>

> My question is, how would this affect the current computers having the

> existing CA where it is directly issued from the enterprise root,

> compared to other computers who were issued via the subordinate CA

> when i get them running?</span>

 

It would not affect the existing certificates at all.

<span style="color:blue">

> Im guessing not much, since all computers

> will trust the root anyway through thet certificate tree? Only down

> side is if the root got comprimised in this scenario since they would

> still trust it.</span>

 

Which is why it is generally a bad idea to use an Enterprise root which

must, by definition, be on the network. For 30 users and internal only

certificates you're likely ok with an online Enterprise root.

<span style="color:blue">

>

> To aid my understanding, do enterprise root CA issue certificates to

> workstations by default? Im guessing not, since i had to create a

> workstation identification template.</span>

 

What certificates get issued depends on what certificate templates are

published at an Enterprise CA, whether it is a root or subordinate.

<span style="color:blue">

>

> How could i ensure in future that the root CA only issues certificates

> for other subordinate CA's and NOT workstations? Would this be through

> the certificate management mmc console? Is this controlled by active

> directory GPO or some other setting?</span>

 

Use the Certification Authority console to remove all of the certificate

templates that are published at the root except for the SubCA template.

<span style="color:blue">

>

> What is the purpose of having a root enterprise CA and subordinate

> enterprise CA? I cant see much benefit and indeedd maybe this is less

> secure as the root is online... this is fine for small networks but i

> have found may no longer be ideal for me.</span>

 

For a small network having an online Enterprise root CA simply makes it

easier as you don't have to manually publish either the root CA certificate

or root CA CRL to the directory, it happens automatically.

<span style="color:blue">

>

> Can active directory automatically publish the revocation list to http

> for it to check?</span>

 

Active Directory has nothing to do with this, the CA however can

automatically publish to an HTTP location.

<span style="color:blue">

> Do i need to have IIS running on the server? I see

> the url for revocation checking but when i type it in in my browser i

> get a blank page again i presume because IIS is not running.</span>

 

The CA does not require IIS unless you want to use the web enrollment pages

or if you are using it to host CRLs.

<span style="color:blue">

>

> Finally, given the site links are expanding, Is it possible to move my

> existing enterprise root CA to a standalone root CA, and then create

> multiple subordinate CAs to issue certs on the clients behalf? This

> would be the ideal setup as a managed upgrading process. Can i move

> the root enterprise CA to an offline root CA?</span>

 

No, you can't move a root from one type to another, you'd need to install a

new root as an offline standalone root and then manually publish its

certificate and CRL.

 

 

--

Paul Adare

MVP - Virtual Machines

http://www.identit.ca

Semi-conductor: A person hired to lead an orchestra before he has

graduated

from director's school.

Guest Chris Morley

Guest Chris Morley

Posted
Posted

> > Finally, given the site links are expanding, Is it possible to move my<span style="color:blue"><span style="color:green">

> > existingenterpriserootCAto astandalonerootCA, and then create

> > multiple subordinate CAs to issue certs on the clients behalf? This

> > would be the ideal setup as a managed upgrading process. Can i move

> > therootenterpriseCAto an offlinerootCA?</span>

>

> No, you can't move arootfrom one type to another, you'd need to install a

> newrootas an offlinestandalonerootand then manually publish its

> certificate and CRL.

>

> --

> Paul Adare

> MVP - Virtual Machineshttp://www.identit.ca

> Semi-conductor:  A person hired to lead an orchestra before he has

> graduated

> from director's school.</span>

 

Dear Paul,

 

Many thanks for the informative reply. We will actually have over 70

users within the next year split across multiple sites, i therefore

believe its prudent to take the pain now and move to a offline root

architecture with subordinate enterprise CAs at each site to issue

certs. I only have two Windows Mobile phones so it wont be too much

trouble to install the new certificates.

 

Do you have any advice on howto do this? I'm thinking something along

the following:

 

1) Create a new offline root CA

2) Commission new subordinate enterprise CA at each site (or make sure

VPN works to ensure certs can be auto enrolled to clients)

3) Publish new Workstation identification templates on the subordinate

CA

4) Check all new templates have been pushed to clients and the new

offline root CA is trusted

5) Create new IIS template for exchange with the new offline root CA

trusted chain

6) Uninstall old enterprise root CA

 

What happens where i have this two certificate authority setup with

multiple auto enrollment for multiple certificate servers? Will active

directory ensure that clients request templates from the new

subordinate CAs? Or does a client simply contact the first certificate

server that it can see?

 

Finally, how can i ensure that external clients can see the CRL

published via http? I cant find the place where i can change this

string in the certificate template before it is published via auto

enrollment.

 

Many thanks,

 

Chris

Guest Chris Morley

Guest Chris Morley

Posted
Posted

On 21 Mar, 12:33, Chris Morley <morl...@gmail.com> wrote:<span style="color:blue"><span style="color:green"><span style="color:darkred">

> > > Finally, given the site links are expanding, Is it possible to move my

> > > existingenterpriserootCAto astandalonerootCA, and then create

> > > multiple subordinate CAs to issue certs on the clients behalf? This

> > > would be the ideal setup as a managed upgrading process. Can i move

> > > therootenterpriseCAto an offlinerootCA?</span></span>

><span style="color:green">

> > No, you can't move arootfrom one type to another, you'd need to install a

> > newrootas an offlinestandalonerootand then manually publish its

> > certificate and CRL.</span>

><span style="color:green">

> > --

> > Paul Adare

> > MVP - Virtual Machineshttp://www.identit.ca

> > Semi-conductor:  A person hired to lead an orchestra before he has

> > graduated

> > from director's school.</span>

>

> Dear Paul,

>

> Many thanks for the informative reply. We will actually have over 70

> users within the next year split across multiple sites, i therefore

> believe its prudent to take the pain now and move to a offline root

> architecture with subordinate enterprise CAs at each site to issue

> certs. I only have two Windows Mobile phones so it wont be too much

> trouble to install the new certificates.

>

> Do you have any advice on howto do this? I'm thinking something along

> the following:

>

> 1) Create a new offline root CA

> 2) Commission new subordinate enterprise CA at each site (or make sure

> VPN works to ensure certs can be auto enrolled to clients)

> 3) Publish new Workstation identification templates on the subordinate

> CA

> 4) Check all new templates have been pushed to clients and the new

> offline root CA is trusted

> 5) Create new IIS template for exchange with the new offline root CA

> trusted chain

> 6) Uninstall old enterprise root CA

>

> What happens where i have this two certificate authority setup with

> multiple auto enrollment for multiple certificate servers? Will active

> directory ensure that clients request templates from the new

> subordinate CAs? Or does a client simply contact the first certificate

> server that it can see?

>

> Finally, how can i ensure that external clients can see the CRL

> published via http? I cant find the place where i can change this

> string in the certificate template before it is published via auto

> enrollment.

>

> Many thanks,

>

> Chris- Hide quoted text -

>

> - Show quoted text -</span>

 

Sorry I also forgot to ask does anyone know if i need to publish

separate CRL locations for the subordinate CAs in addition to the root

CA CRL?

 

Thanks again,

 

Chris

  • 11 months later...
Guest samarthykishore

Guest samarthykishore

Posted
Posted

Hello Chris

 

I am stuck with the same issue, I am trying to find out if i have a

client computer auto enrolled and received a certificate from a root CA

and now if i am planning to create a new Root CA in my environment will

the computer get another certificate using auto enrollment and use the

latest certificate. Also when i look in the web enrollment I dont see a

computer template, though it exists in you certificate templates what is

the procedure to add your templates to show up in web enrollment??.

 

I was browsing thorough many forums regarding this issue and you where

the only one i could find who has run in to the same issue, that would

be great if you reply back with the solution you had for this issue.

 

Thanks in advance!!

Sandeep.

 

 

Chris Morley;3610270 Wrote: <span style="color:blue">

> Hi, my existing setup is/was simple. Had a single site active

> directory for 30 users and an exchange server.

>

> All computer workstation identification certs were pushed out via

> autoenrollment and as such they trust the root CA which was the one to

> issue the certificates.

>

> As i will now have a number of sites i think it would be prudent to

> have subordinate CAs at each remote location to issue certificates

> there.

>

> My question is, how would this affect the current computers having the

> existing CA where it is directly issued from the enterprise root,

> compared to other computers who were issued via the subordinate CA

> when i get them running? Im guessing not much, since all computers

> will trust the root anyway through thet certificate tree? Only down

> side is if the root got comprimised in this scenario since they would

> still trust it.

>

> To aid my understanding, do enterprise root CA issue certificates to

> workstations by default? Im guessing not, since i had to create a

> workstation identification template.

>

> How could i ensure in future that the root CA only issues certificates

> for other subordinate CA's and NOT workstations? Would this be through

> the certificate management mmc console? Is this controlled by active

> directory GPO or some other setting?

>

> What is the purpose of having a root enterprise CA and subordinate

> enterprise CA? I cant see much benefit and indeedd maybe this is less

> secure as the root is online... this is fine for small networks but i

> have found may no longer be ideal for me.

>

> Can active directory automatically publish the revocation list to http

> for it to check? Do i need to have IIS running on the server? I see

> the url for revocation checking but when i type it in in my browser i

> get a blank page again i presume because IIS is not running.

>

> Finally, given the site links are expanding, Is it possible to move my

> existing enterprise root CA to a standalone root CA, and then create

> multiple subordinate CAs to issue certs on the clients behalf? This

> would be the ideal setup as a managed upgrading process. Can i move

> the root enterprise CA to an offline root CA?

>

> Many thanks in advance,

>

> Chris</span>

 

 

--

samarthykishore

------------------------------------------------------------------------

samarthykishore's Profile: http://forums.techarena.in/members/samarthykishore.htm

View this thread: http://forums.techarena.in/microsoft-security/934673.htm

 

http://forums.techarena.in

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...