Does root CA require Enterprise Edition

We currently have a root domain and two child domains.  Each domain has two domain controllers running Windows 2003 Server Standard Edition.  We want to install Certificate Services and allow both users and computers in the child domains to automatically.  

My plan is to install a root CA on one of the DCs in the root domain and then install a sub-ordinate/issuing CA on a DC in each of the child domains.  As I understand it, in order for the sub-ordinate/issuing CAs to do auto-enrolment, they must be running Windows Server Enterprise edition.  That's fair enough, I can get away with re-building one of the DCs without too much bother.

My question is, does the Root CA also have to be running Enterprise Edition.  As I understand it, it is only going to need to issue two certificates, one to each of the sub-ordinates in the two child domains, so I can do that manually.  Will this affect the sub-ordinate CAs ability to perform auto-enrolment?



I understand that the CA must be installed on a
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Any offline CA's should be installed with Standard Edition and not joined to a domain - this would normally just include the root CA in a standard 2 tier PKI.  If you have a 3 tier, the root and policy servers would be included.  The online issuing subordinate you would want to be Enterprise Edition and should be joined to a domain for autoenrollment processes (EFS, workstation, DC, etc. certs).  

I recommend against installing your root CA on any DC - it gets messy.  As mentioned above, create your root as an offline non-domain box, then use that to issue your subordinate CA's in each environment desired.  Connecting it across a private non-routed LAN to one of the sub-CA's will make CRL distribution much easier.  Just create a script to run 'certutil -CRL' and then map a drive to the sub-CA, copy over the CRL, then create another script to run a little while later to copy the CRL to the applicable CDP locations (make one of these publicly accessible - no need for the CA to be connected to the internet, but having a CDP there will add a lot of options).  Protect your root CA - CA's are the basis of trust in your network, so you need to trust them.

Generally I also advise against having any CA on a DC, it should be on its own box preferably - things get very messy when you upgrade the DC's when there is a CA on the same box, amoungst many other reasons.

Whether the root can be run as an Enterprise Root on Standard Edition is a hot topic with some - but we do that here, so I know it works that way (contrary to a ton of documentation even from Microsoft).  Enterprise Subordinate should be done on Enterprise Edition as there are a lot of things that are only available that way.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ParanormasticCryptographic EngineerCommented:
Note: running your CA's in a VM environment can help cut the hardware costs down at least.  They are not very memory or CPU intensive, but allocate at least 30gb per online CA if you can so you can have plenty of room for the database to grow over time, and back it up properly.  If you can afford the hardware, that is best, but VM works fine - just protect the host box as well as the active sessions, including the saved snapshots.
ParanormasticCryptographic EngineerCommented:
I notice that you also have both 2000 and 2003 listed as categories - if possible you want to be running 2003 native mode prior to installing your CA's, and the CA's should really be on 2003 or 2008 as 2000 CA was just a twinkle of a CA.  2000 member servers and client boxes aren't too big of a deal as they don't affect the AD extensions.
darrenbell2000Author Commented:

Thanks for your comments.  I read up on using offline Root CAs and it does seem to be the best way to go about this.  I'm having an issue with it but I've put it in a new post.  Perhaps you could take a look as you've been through this before?

thanks for your help

ParanormasticCryptographic EngineerCommented:
Done.  Here is a nice walkthrough guide for a ton of things for setting up the CA.  You can skip the stuff re: cross certification unless you are actually trying to do that with a partner company or something - not typical.

You will probably also want to enable SAN off the bat as well to add multiple names to a cert (e.g. you can have teh IP address, hostname, FQDN, and alias for the same box all in one cert):

For handling CRL's we batch script 'certutil -crl' to run twice a day and have in that script mapping a drive and copying over the crl to the CDP locations.  We have legal obligation to push ours once a day - usually once a week is fine - maybe with a 'certutil -crl delta' daily for incremental updates between base crls.  Basically, however long is configured in the CA, make sure you script to push it manually more often so you have time to recover.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.