Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > Active Directory
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

this thread has 2 replies and has been viewed 6158 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 19th March 2008, 08:55
g18c g18c is offline
Casual
Casual
 
 Join Date: Mar 2008
  6 month star 12 month star
 Posts: 2
 Reputation: g18c is on a distinguished road (10)
Default Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

Hi, my existing setup is/was simple. Had a single site active directory for 30 users and an exchange server.

All computer workstation identification certs were pushed out via autoenrollment and as such they trust the root CA which was the one to issue the certificates.

As i will now have a number of sites i think it would be prudent to have subordinate CAs at each remote location to issue certificates there.

My question is, how would this affect the current computers having the existing CA where it is directly issued from the enterprise root, compared to other computers who were issued via the subordinate CA when i get them running? Im guessing not much, since all computers will trust the root anyway through thet certificate tree? Only down side is if the root got comprimised in this scenario since they would still trust it.

To aid my understanding, do enterprise root CA issue certificates to workstations by default? Im guessing not, since i had to create a workstation identification template.

How could i ensure in future that the root CA only issues certificates for other subordinate CA's and NOT workstations? Would this be through the certificate management mmc console? Is this controlled by active directory GPO or some other setting?

What is the purpose of having a root enterprise CA and subordinate enterprise CA? I cant see much benefit and indeedd maybe this is less secure as the root is online... this is fine for small networks but i have found may no longer be ideal for me.

Can active directory automatically publish the revocation list to http for it to check? Do i need to have IIS running on the server? I see the url for revocation checking but when i type it in in my browser i get a blank page again i presume because IIS is not running.

Finally, given the site links are expanding, Is it possible to move my existing enterprise root CA to a standalone root CA, and then create multiple subordinate CAs to issue certs on the clients behalf? This would be the ideal setup as a managed upgrading process. Can i move the root enterprise CA to an offline root CA?

Many thanks in advance,

Chris
  #2  
Old 20th March 2008, 05:08
kapilsharma11's Avatar
kapilsharma11 kapilsharma11 is offline
Member
Here to help
 
 Join Date: Oct 2005
  6 month star 12 month star
 Location: Singapore
 Posts: 552
  Send a message via MSN to kapilsharma11
 Reputation: kapilsharma11 will become famous soon enoughkapilsharma11 will become famous soon enough (106)
Default Re: Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

It's recommended to have Enterprize root CA offline....

http://technet2.microsoft.com/window...086af1033.mspx

Regards,
__________________
Kapil Sharma
~~~~~~~~~~~~~
Life is too short, Enjoy It.
  #3  
Old 21st March 2008, 11:21
g18c g18c is offline
Casual
Casual
 
 Join Date: Mar 2008
  6 month star 12 month star
 Posts: 2
 Reputation: g18c is on a distinguished road (10)
Default Re: Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs

Hi, yes that why i posted to ask if it possible to move my current enterprise root CA to a standalone root CA, aka offline root CA.

Any ideas on this one guys?

Many thanks,

Chris
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Migrating DC AD to new Root Domain craftwreck2001 Active Directory 1 29th February 2008 14:16
Moving AD root to new server user7 Active Directory 1 30th November 2007 14:45
How to demote existing primary root domain to secondary root domain yulhendri Active Directory 2 22nd June 2006 14:26
DFS root from DC to Member? MCSE3737 Windows Server 2000 / 2003 / 2003 R2 0 26th October 2005 11:48
Moving to a new root Enterprise Certificate Authority heyhogan Windows Server 2000 / 2003 / 2003 R2 0 3rd June 2004 19:13


All times are GMT +3. The time now is 18:28.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri