Solved

Stand alone CA

Posted on 2011-03-11
4
653 Views
Last Modified: 2012-05-11
I need to install a CA so non domain joined servers (workgroup) can communcate with 1 of the domain servers without affecting any user/computer on the domain.

I wanted to install the stand alone CA on the domain joined member server to make life easier but was told you can't do that.

Does someone have a writeup of the install scenarios for stand alone CA's?
0
Comment
Question by:snyderkv
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 35112189
Is this what you are looking for? http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx

I'll say that a Stand Alone CA can be a domain member server... but _I_ would usually start with the assumption that it isn't a domain member, 'cause I'd normally be using the stand alone CA server as my off-line root.  I assume that's where the person was coming from who told you that a stand alone CA can't be a member of the domain.

Just on the face of it, if you needed a non-Enterprise CA for a purpose that wasn't a part of an enterprise PKI infrastructure -- but you wanted that server to be a domain member for ease of management -- I can't see a reason you couldn't do that.  (I assume you already have a way to get the CA root cert trusted on the machines which need to trust it... etc... )
0
 

Author Comment

by:snyderkv
ID: 35114516
Below is the clip from your article.
"Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester"

"When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory."
0
 

Author Comment

by:snyderkv
ID: 35114883
Oops wrong clip. But the point is that when installing on a domain member, I think it automatically issue certs and publish in AD. This is what I'm afraid of.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 35131844
Going back to that article (including the last paragraph you quoted), the stand-alone CA automatically uses AD to public certs and Revocation lists  -- IF it is installed by a domain admin (or another admin with sufficient rights to write to AD).

If you install CA using an account which was only a local admin on the box itself... that wasn't even a domain account, it would be impossible for it to write certs to the active directory.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The 21st century solution to antiquated pagers.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question