Solved

Stand alone CA

Posted on 2011-03-11
4
644 Views
Last Modified: 2012-05-11
I need to install a CA so non domain joined servers (workgroup) can communcate with 1 of the domain servers without affecting any user/computer on the domain.

I wanted to install the stand alone CA on the domain joined member server to make life easier but was told you can't do that.

Does someone have a writeup of the install scenarios for stand alone CA's?
0
Comment
Question by:snyderkv
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 35112189
Is this what you are looking for? http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx

I'll say that a Stand Alone CA can be a domain member server... but _I_ would usually start with the assumption that it isn't a domain member, 'cause I'd normally be using the stand alone CA server as my off-line root.  I assume that's where the person was coming from who told you that a stand alone CA can't be a member of the domain.

Just on the face of it, if you needed a non-Enterprise CA for a purpose that wasn't a part of an enterprise PKI infrastructure -- but you wanted that server to be a domain member for ease of management -- I can't see a reason you couldn't do that.  (I assume you already have a way to get the CA root cert trusted on the machines which need to trust it... etc... )
0
 

Author Comment

by:snyderkv
ID: 35114516
Below is the clip from your article.
"Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester"

"When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory."
0
 

Author Comment

by:snyderkv
ID: 35114883
Oops wrong clip. But the point is that when installing on a domain member, I think it automatically issue certs and publish in AD. This is what I'm afraid of.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 35131844
Going back to that article (including the last paragraph you quoted), the stand-alone CA automatically uses AD to public certs and Revocation lists  -- IF it is installed by a domain admin (or another admin with sufficient rights to write to AD).

If you install CA using an account which was only a local admin on the box itself... that wasn't even a domain account, it would be impossible for it to write certs to the active directory.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now