Solved

Stand alone CA

Posted on 2011-03-11
4
624 Views
Last Modified: 2012-05-11
I need to install a CA so non domain joined servers (workgroup) can communcate with 1 of the domain servers without affecting any user/computer on the domain.

I wanted to install the stand alone CA on the domain joined member server to make life easier but was told you can't do that.

Does someone have a writeup of the install scenarios for stand alone CA's?
0
Comment
Question by:snyderkv
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Is this what you are looking for? http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx

I'll say that a Stand Alone CA can be a domain member server... but _I_ would usually start with the assumption that it isn't a domain member, 'cause I'd normally be using the stand alone CA server as my off-line root.  I assume that's where the person was coming from who told you that a stand alone CA can't be a member of the domain.

Just on the face of it, if you needed a non-Enterprise CA for a purpose that wasn't a part of an enterprise PKI infrastructure -- but you wanted that server to be a domain member for ease of management -- I can't see a reason you couldn't do that.  (I assume you already have a way to get the CA root cert trusted on the machines which need to trust it... etc... )
0
 

Author Comment

by:snyderkv
Comment Utility
Below is the clip from your article.
"Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester"

"When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory."
0
 

Author Comment

by:snyderkv
Comment Utility
Oops wrong clip. But the point is that when installing on a domain member, I think it automatically issue certs and publish in AD. This is what I'm afraid of.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
Comment Utility
Going back to that article (including the last paragraph you quoted), the stand-alone CA automatically uses AD to public certs and Revocation lists  -- IF it is installed by a domain admin (or another admin with sufficient rights to write to AD).

If you install CA using an account which was only a local admin on the box itself... that wasn't even a domain account, it would be impossible for it to write certs to the active directory.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now