Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs
Hi, my existing setup is/was simple. Had a single site active directory for 30 users and an exchange server.I now have multiple windows 2008 severs split across multiple sites.All computer workstation identification certs were pushed out via autoenrollment and as such they trust the root CA which was the one to issue the certificates. As i will now have a number of sites i think it would be prudent to have subordinate CAs at each remote location to issue certificates there. My question is, how would this affect the current computers having the existing CA where it is directly issued from the enterprise root, compared to other computers who were issued via the subordinate CA when i get them running? Im guessing not much, since all computers will trust the root anyway through thet certificate tree? Only down side is if the root got comprimised in this scenario since they would still trust it. Given the site links are expanding, Is it possible to move my existing enterprise root CA to a standalone root CA, and then create multiple subordinate CAs to issue certs on the clients behalf? This would be the ideal setup as a managed upgrading process. Can i move the root enterprise CA to an offline root CA? To aid my understanding, do enterprise root CA issue certificates to workstations by default? Im guessing not, since i had to create a workstation identification template for the enterprise root CA. How could i ensure in future that the root CA only issues certificates for other subordinate CA's and NOT workstations? Would this be through the certificate management mmc console? Is this controlled by active directory GPO or some other setting?What is the purpose of having an onlineroot enterprise CA and subordinate enterprise CA? I cant see much benefit and indeedd maybe this is less secure as the root is online... this is fine for small networks but i have found may no longer be ideal for me. This is why i wish to move my existing root enterprise CA to an offline root standalone CA.Can active directory automatically publish the revocation list to http for it to check? Do i need to have IIS running on the server? I see the url for revocation checking but when i type it in in my browser i get a blank page again i presume because IIS is not running. I did read that this CRL location can be changed without revoking any certificates, this will be updated when the client renews their certificate. http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/405009001931/r/797005301931 So in summary, it would be great if i can install a subordinate CA into the system, then reissue newworkstation certificates to allclients via that subordinate CA. I can then revoke the original certs issued directly by the rootbefore i move it offline to ensure the clients will renew with the subordinate CA from that point on. This is a slightly painfull process as certs are already issued to clients and this is used to identify the exchange server in exchange 2007. But aslong as the chain of trust isnt broken i dont see a problem with the above but thoughts would be very much appreciated.Many thanks in advance, Chris
March 19th, 2008 9:10am

What you are going to want to do is completely re-organize your CA heirarchy. Create an off-line root CA and have that issue certificates to your subordinate CAs. You will have to revoke and re-issue certificates for everyone if you did this, but I think that as your environment grows, you will like the flexibility of a two-tier heirarchy. To directly answer your questions: Root CAs are not normally used to issue certificates to workstations. But, they can. To ensure that your root CA only issues certs for other subordinate CAs is to tightly control access to it. Keeping it off the network at all stages of its lifecycle is a good start. Having an online root enterprise CA and subordinate CAs is an easier to manage, but less secure, implementation of the offline-root, two-tier heirarchy model. I don't like this as an idea... You may (theoretically) be able to move an Enterprise CA to a Stand-Alone, but it most certainly would be a bad idea to try. The creation of an Enterprise CA adds a deal of information to AD which can be deleted simply enough, but all of the certificates that you have issued are (by default) set up to reference that information. Also, all of the ACLs on everything on your server are set up to reference AD objects... It would be far easier (and recommended by MS) to create a stand-alone CA (offline root) and then set up your Enterprise Subordinate CAs. AD doesn't publish the CRL to HTTP - the Enterprise CA does. The CA also publishes the CRL to Active Directory (and anywhere else you configure it to do so). You do need IIS running to access a CRL by HTTP. Also, keep in mind that the certificate's information containing CRL publishing points is permanent. If you change the CRL points, you have to re-issue all of your certs. To recap, rebuild your CA infrastructure. There is a book by Brian Komar: http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp/0735620210 It discusses all of the points that you are going to need very quickly and clearly, so I highly recommend it. Luck,
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2008 7:28pm

So, your answer is 'start over and RTFM'?
May 22nd, 2010 6:26pm

This is possible. I have posted Enterprise -> Standalone CA migration process: http://www.sysadmins.lv/PermaLink,guid,8b6c3419-3cd0-45be-b922-c263eeb6f12d.aspx the post in Russian, so you may need to use online translator. In short the process consist of the following steps: 1) prepare Enterprise CA 2) backup Enterprise CA keys and DB 3) Remove Enterprise CA role from AD server 4) Setup new Standalone CA server with existing keys (that are backed up in previous step) 5) Restore DB on new Standalone CA server 6) setup and configure new Enterprise Subordinate CA server. The general problem is to maintain current Root CA CDP and AIA locations. So you will have to reconfigure your web server and manually publish CA cert and CRLs to the correct locations.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2010 9:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics