Solved

Stand alone CA

Posted on 2011-03-11
4
688 Views
Last Modified: 2012-05-11
I need to install a CA so non domain joined servers (workgroup) can communcate with 1 of the domain servers without affecting any user/computer on the domain.

I wanted to install the stand alone CA on the domain joined member server to make life easier but was told you can't do that.

Does someone have a writeup of the install scenarios for stand alone CA's?
0
Comment
Question by:snyderkv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 35112189
Is this what you are looking for? http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx

I'll say that a Stand Alone CA can be a domain member server... but _I_ would usually start with the assumption that it isn't a domain member, 'cause I'd normally be using the stand alone CA server as my off-line root.  I assume that's where the person was coming from who told you that a stand alone CA can't be a member of the domain.

Just on the face of it, if you needed a non-Enterprise CA for a purpose that wasn't a part of an enterprise PKI infrastructure -- but you wanted that server to be a domain member for ease of management -- I can't see a reason you couldn't do that.  (I assume you already have a way to get the CA root cert trusted on the machines which need to trust it... etc... )
0
 

Author Comment

by:snyderkv
ID: 35114516
Below is the clip from your article.
"Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester"

"When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory."
0
 

Author Comment

by:snyderkv
ID: 35114883
Oops wrong clip. But the point is that when installing on a domain member, I think it automatically issue certs and publish in AD. This is what I'm afraid of.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 35131844
Going back to that article (including the last paragraph you quoted), the stand-alone CA automatically uses AD to public certs and Revocation lists  -- IF it is installed by a domain admin (or another admin with sufficient rights to write to AD).

If you install CA using an account which was only a local admin on the box itself... that wasn't even a domain account, it would be impossible for it to write certs to the active directory.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Part Two of the two-part Q&A series with MalwareTech.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question