Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Stand alone CA

Posted on 2011-03-11
4
Medium Priority
?
706 Views
Last Modified: 2012-05-11
I need to install a CA so non domain joined servers (workgroup) can communcate with 1 of the domain servers without affecting any user/computer on the domain.

I wanted to install the stand alone CA on the domain joined member server to make life easier but was told you can't do that.

Does someone have a writeup of the install scenarios for stand alone CA's?
0
Comment
Question by:snyderkv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 35112189
Is this what you are looking for? http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx

I'll say that a Stand Alone CA can be a domain member server... but _I_ would usually start with the assumption that it isn't a domain member, 'cause I'd normally be using the stand alone CA server as my off-line root.  I assume that's where the person was coming from who told you that a stand alone CA can't be a member of the domain.

Just on the face of it, if you needed a non-Enterprise CA for a purpose that wasn't a part of an enterprise PKI infrastructure -- but you wanted that server to be a domain member for ease of management -- I can't see a reason you couldn't do that.  (I assume you already have a way to get the CA root cert trusted on the machines which need to trust it... etc... )
0
 

Author Comment

by:snyderkv
ID: 35114516
Below is the clip from your article.
"Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester"

"When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory."
0
 

Author Comment

by:snyderkv
ID: 35114883
Oops wrong clip. But the point is that when installing on a domain member, I think it automatically issue certs and publish in AD. This is what I'm afraid of.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 35131844
Going back to that article (including the last paragraph you quoted), the stand-alone CA automatically uses AD to public certs and Revocation lists  -- IF it is installed by a domain admin (or another admin with sufficient rights to write to AD).

If you install CA using an account which was only a local admin on the box itself... that wasn't even a domain account, it would be impossible for it to write certs to the active directory.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question