Hi, I am looking for clear steps on deploying an Offline stand-alone Root CA, then deploying an AD integrated Subordinate CA. I mean I can install an offline Root CA, then install the AD Subordinate CA, generate the Sub request and get the Root CA to issue it...however its the other steps I need clarification on: It is recommended to not have any CDP or AIA extensions in the actual root CA certificate, is that correct? How do we do that? Should we add the subordinate CA URL in here somewhere for the CRLs? when and how do we do that? CAPolicy.inf? Do I need to export the Root CA cert and import it into the AD Default Domain Policy? What about the RootCAs CRL files? How to publish them? (certutil -dspublish?) Basically, when the RootCA is offline, we want to be able to run PKIView.msc from the online SubCA and everything needs to be OK...what are all these steps please? Would OCSP make our lives easier? Which applications support it though? Kind regards SK

Hi, I highly recommend you have a read of "Windows Server 2008 PKI and Certificate Security" by Brian Komar. It details the steps required for a 2 tier CA. I found the book saved me countless hours and was well worth purchasing. AIA and CDP not required for offline root CA, 2008 just exclude both [AuthorityInformationAccess] abd [CRLDistributionPoint] in 2003 you will need to add Empty=true My understanding is that the CDP and AIA URL's are added by using certutil -setreg after the Root CA installed Root CA must be installed into the subordinate CA prior to installing it via the certutil -addstore -f Root command To publish the CA I you need to have enterprise admin access and use certutil -dspublish. Personally I don't have the experience to list all the steps required to make a CA, I'm still learning about CA deployment, but they are covered in the book previously mentioned in detail. regards shane Shane Hoey psugbne.org | Powershell Usergroup Brisbane

Hi, The PKI implementing guide could be helpful for your work: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you for the feedback, I also just found this nice breakdown of tasks: http://technet.microsoft.com/en-us/library/cc737834%28WS.10%29.aspx

just remember that both those pages are for server 2003. There are some differances between certificate services in 2008 and 2003. cheers shane Shane Hoey psugbne.org | Powershell Usergroup Brisbane

I have worked thru a virtual environment, and that technet link above worked for me. http://technet.microsoft.com/en-us/library/cc737834%28WS.10%29.aspx valid point Shane, thanks