The idea of having a CA offline is about the possibility to guarantee a higher level of protection to an anchor of trust. It is very hard to manipulate a device not accessible over the network unless you have physical access. Although the CA is installed and operated as an offline CA, you still need to switch it on to issue certificates to sub CAs, CRLs and other patch and maintenance operations necessary to keep both a healthy PKI and a helthey software and hardware installation over time. If not sure about the most suitable PKI structure for your needs, it is always doable to install and use one single Enterprise CA and change/replace the setup when needed or wen new requirements has been identified. You can reuse most of the efforts and knowledge. /Hasain

You do not want to reuse the private key from your current CA when creating a new CA, just go ahead and create new keys and associated certificates. Because certificate handling in Active Directory is based on templates, you can have multiple enterprise CAs active simultaneously. I think KB889250 is a little aggressive and that steps 2-5 are good enough in most cases, but is the proper way to decommission the CA sure that the old CA should not be used any more. You need to have a backup including the following as a minimum: CA keys and certificates CA database CA settings /Hasain

Got everything up and running. Everything is running fine. Thanks!

Thanks. I thought I had responded but must have forgot to hit save. Is it possible to add the subordinate at a later time? In other words bring up a domain enterprise CA then later if Mgt decides to use a sub add it later, then remove the root from the domain etc? Also, I read where you set up the root to do a 20 year cert issue to the Subordinate. I know this doesnt get joined to the domain etc as you indicated, so basically I have a box, whether physical or a VM machine that I have to maintain for that long? Confused about that. What happens if something happens to the offline root??? How does that affect the running subordinate?

The idea of having a CA offline is about the possibility to guarantee a higher level of protection to an anchor of trust. It is very hard to manipulate a device not accessible over the network unless you have physical access. Although the CA is installed and operated as an offline CA, you still need to switch it on to issue certificates to sub CAs, CRLs and other patch and maintenance operations necessary to keep both a healthy PKI and a helthey software and hardware installation over time. If not sure about the most suitable PKI structure for your needs, it is always doable to install and use one single Enterprise CA and change/replace the setup when needed or wen new requirements has been identified. You can reuse most of the efforts and knowledge. /Hasain

Thanks Hasain. So as I understand you, if I bring up a new CA as a Root Enterprise CA connected to the domain, and then at a later time, decide to update/change our PKI structure, I will be able to convert this Enterprise Root CA to a Standalone Root NOT connected to the domain, and the go through the steps of creating a subordinate etc??? This was what I could not find anything on.

Well, it is possible to convert the way you describe it but it is much easier to setup a new structure fulfilling the new requirements. This is mainly because the CA already been exposed to a networking environment and can not be considered as a true offline per definition. There are many other considerations beside that making it more complicated to convert the CA instead of just replacing it with a new one. /Hasain

Hello. Got some questions about this. 2008R2 domain. Currently have a CA running that was never setup to do anything. CA still has name of old server it was tranferred from. Have new server built running 08R2 Enterprise. What I want to do first is backup and bring down the existing. Bring up a new CA from scratch using a better name than the one in use now. Then possibly if I need to use a subordinate to do the issuing. Here is what I got. 1) Bringing up a brand new one. Once I restart the DCs they should pull a new cert from the up and running new CA correct? What about existing XP workstations etc. We currently have no templates setup or autoenrollment. Whatever is in the currently running CA is basically from installing the role and starting the service. 2) Once the new root is up. How exactly does the subord work? I understand that Root will be a non domain member server and that once it issues a cert to the subordinate, then I take it offline. What does that mean? Turn it off? Disconnect the network cable? Only stop the service?? 3) Once the Subordinate is up and running, then any new templates we create or autoenrollment changes we do ONLY to the subordinate??? If so when would you ever turn the root back on? What if something happens to it? OK so I have the root issue a 5 year defualt or longer cert to the sub...does that mean I can expect to need to leave it offline for that duration? A little confused here and the technet articles are a little vague. Thanks, Chris

An offline Root CA does not have any network connection and can not be member of AD or installed as en enterprise CA. An Offline Root is normally installed as a standalone CA on a standalone machine with no network connection or domain membership. Once the Root CA is installed you proceed installing the Sub CA. This one is going to be your enterprise CA and is installed on a domain member in AD. /Hasain

Thanks. Setting up the Standalone root and sub as suggested is prb the best way to go. I have already built the offline root. Since I am trying to use a new CA and not the existing one so we can use a different commopn name than the server name etc, will I just want to create a new private key or export the one from the current CA Root and import it to the new one? I was not sure if doing so would introduce anything I dont want like the old CA name. Once I get passed that, I am guessing that before proceeding with creating the new subordinate CA, I will need to turn off and remove the current CA as explained in the updated KB889250 How to Decommision a Windows Enterprise Certificate Authority then go from there? One of thing, in the event you loose the Root Ca that you have, whether natural disaster, drive crash etc, is having just a backup of the PKI keys etc enough to bring a new one online as long as you use the same server name and common name? Thanks Chris

You do not want to reuse the private key from your current CA when creating a new CA, just go ahead and create new keys and associated certificates. Because certificate handling in Active Directory is based on templates, you can have multiple enterprise CAs active simultaneously. I think KB889250 is a little aggressive and that steps 2-5 are good enough in most cases, but is the proper way to decommission the CA sure that the old CA should not be used any more. You need to have a backup including the following as a minimum: CA keys and certificates CA database CA settings /Hasain