No announcement yet.

Enterprise CA

  • Filter
  • Time
  • Show
Clear All
new posts

  • Enterprise CA

    Hi All,
    My company is deploying several Wireless AP's. We plan on using Server 2003 RADIUS Server along with Digital Certs. I am installing the Windows CA and plan on using Enterprise CA since we run an AD. My question is this..... Every white paper and article i have read states I will need my Root CA off-line. Is this true? I am currently installing Server 2003 on a laptop and will install the Enterprise Root CA on this. Afterwards I will install a subordinate onto a server. I assume the subordinate will do all the issuing. After I shutdown the laptop I will place it into our safe, just incase it is needed again. So do I have to do it this way or can I just install the Root CA onto the main Server and issue certs via it?.

  • #2
    Re: Enterprise CA

    You can do it both ways.

    The "ideal" way is to have a Root CA (Stand alone i.e. not part of AD) to issue certificates to subordinate CA's which in tern either issue certificates to more subordinates or directly to clients requesting different certificates. The Root CA should be offline when not issuing certificates and locked away (After the keys have been backup up and move offsite)

    Hope this helps

    Michael Armstrong
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **


    • #3
      Re: Enterprise CA

      Yes this help me out a lot. I figured it was just best security practice to run it this way. However, I work for a very small company that cannot afford to purchase an extra copy of Server 2003 just to sit in the safe. I just wanted to make sure that running the root certificate server would not cause any issues. I will however put in a request for another copy of 2003 and if approved I will use best practice.


      • #4
        Re: Enterprise CA


        My first post here.

        What is recommended and what is best for your company are usually two different things.

        The recommended strategy is to have the root CA offline or secured by a hardware security module (HSM). A high security cryptographic piece of machinery that keeps private keys securely inside. This however cost a lot of money so for a smaller company it's completely fine to install it on a laptop and put it into a safe place. Another good thing about HSMs is that they can be also used as cryptographic accelerators, especially for SSL transactions.

        This is a river topic, but to sum up i think your infrastructure is safe enough!