|
|
 |
|
|
|||||||
| Petri.co.il is happy to award auglan the title of Most Valuable Member !!! |
| Register |  Calendar |
 Search |
 Today's Posts |
Mark Forums Read |
| Notices |
|
|
 |
Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAsthis thread has 2 replies and has been viewed 4910 times
|
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
19th March 2008, 08:55
|
||||||||
|
||||||||
Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs
Hi, my existing setup is/was simple. Had a single site active directory for 30 users and an exchange server.
All computer workstation identification certs were pushed out via autoenrollment and as such they trust the root CA which was the one to issue the certificates. As i will now have a number of sites i think it would be prudent to have subordinate CAs at each remote location to issue certificates there. My question is, how would this affect the current computers having the existing CA where it is directly issued from the enterprise root, compared to other computers who were issued via the subordinate CA when i get them running? Im guessing not much, since all computers will trust the root anyway through thet certificate tree? Only down side is if the root got comprimised in this scenario since they would still trust it. To aid my understanding, do enterprise root CA issue certificates to workstations by default? Im guessing not, since i had to create a workstation identification template. How could i ensure in future that the root CA only issues certificates for other subordinate CA's and NOT workstations? Would this be through the certificate management mmc console? Is this controlled by active directory GPO or some other setting? What is the purpose of having a root enterprise CA and subordinate enterprise CA? I cant see much benefit and indeedd maybe this is less secure as the root is online... this is fine for small networks but i have found may no longer be ideal for me. Can active directory automatically publish the revocation list to http for it to check? Do i need to have IIS running on the server? I see the url for revocation checking but when i type it in in my browser i get a blank page again i presume because IIS is not running. Finally, given the site links are expanding, Is it possible to move my existing enterprise root CA to a standalone root CA, and then create multiple subordinate CAs to issue certs on the clients behalf? This would be the ideal setup as a managed upgrading process. Can i move the root enterprise CA to an offline root CA? Many thanks in advance, Chris |
|
#2
20th March 2008, 05:08
|
|||||||||||
|
|||||||||||
|
Re: Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs
It's recommended to have Enterprize root CA offline....
http://technet2.microsoft.com/window...086af1033.mspx Regards,
__________________
Kapil Sharma ~~~~~~~~~~~~~ Life is too short, Enjoy It. |
|
#3
21st March 2008, 11:21
|
||||||||
|
||||||||
|
Re: Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs
Hi, yes that why i posted to ask if it possible to move my current enterprise root CA to a standalone root CA, aka offline root CA.
Any ideas on this one guys? Many thanks, Chris |
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Migrating DC AD to new Root Domain | craftwreck2001 | Active Directory | 1 | 29th February 2008 14:16 |
| Moving AD root to new server | user7 | Active Directory | 1 | 30th November 2007 14:45 |
| How to demote existing primary root domain to secondary root domain | yulhendri | Active Directory | 2 | 22nd June 2006 14:26 |
| DFS root from DC to Member? | MCSE3737 | Windows Server 2000 / 2003 | 0 | 26th October 2005 11:48 |
| Moving to a new root Enterprise Certificate Authority | heyhogan | Windows Server 2000 / 2003 | 0 | 3rd June 2004 19:13 |
(10)
Linear Mode
