Dear All , We are implementing an offline root CA , Sub CA , RA and Online responders , all in stand alone mode (not added to domain , every machine in workgroup) Kindly answer the following queries 1.can we have all of them (root , subca , ra and onlineresponders ) in workgroup and still get it working ? 2.Is it feasible to have different valdity of certificates (ex user and computer) on the same Sub CA or issuing authority ? 3.How to create client authentication certificates for Non microsoft clients ? Will OpenSSL CSR work and can it be used for authentication a particular client ? Because we cant have templates on stand alone setup any help is greatly appreciated thanks Shaun

I have seen a similar question from you before and so I will skip questions 1 and 2. OpenSSL CSRs (PKCS10) are handled from the Windows CA no problem. The authentication is an issue in your case because your CA is not AD integrated and standalone. So that being said you must crate local users for authentication. To be honest, you should solve your AD issues first and then use a Enterprise CA. Regards, Lutz

Thanks Lutz , Client Authentication - I meant authenticating a client machine (mac/linux/solaris) with a Server - will this require computer accounts on Active Dir ? Does it mean any non - microsoft machine like linux , solaris ,etc (not in AD domain) cannot be issued a client auth certificate unless its becomes a part of the AD domain ?

We have two scenarios: 1) a computer is requesting a certificate e.g. for wireless authentication. So the computer identity is the requester and the certificate is enrolled to the local machine certificate store. On a Windows server as standalone machine are no machine accounts. The requesting computer is member of AD or has at least an machine account. 2) a user is requesting a certificate for himself or for the computer via PKCS10. In both cases the user must be authenticated against the Windows server. Because you do not have templates with a standalone CA the CA must accept all attribute values from the PKCS10. Depending for what application you issue certificates and how man users are allowed to issue certificates this can be a big security flaw. Regards, Lutz

We have two scenarios: 1) a computer is requesting a certificate e.g. for wireless authentication. So the computer identity is the requester and the certificate is enrolled to the local machine certificate store. On a Windows server as standalone machine are no machine accounts. The requesting computer is member of AD or has at least an machine account. 2) a user is requesting a certificate for himself or for the computer via PKCS10. In both cases the user must be authenticated against the Windows server. Because you do not have templates with a standalone CA the CA must accept all attribute values from the PKCS10. Depending for what application you issue certificates and how man users are allowed to issue certificates this can be a big security flaw. Regards, Lutz

Lutz we have planned to go with Enterprise SubCAs , root CA will continue to be offline :) Thanks a Million for your inputs , greatly appreciate ! Will nudge you further if we find any road blocks going forward ! :) regards Shaun

Sure, no problem. Good luck with your project. - Lutz