what is Best Pratice for Domain Root CA

What is the purpose of an Offline Root CA (standalone non-member) w/ a Online Domain  member Subordinate CA?

We are in the process of decom our AD 2003 DC's and one of them holds the Root CA role.
We want to segment the roles in the newly deployed machines (running 2008 R2) so when there are future upgrades to DC's and other machines we are not worried about the roles on that machine accept the one being decom.

So my colleague proposed and Standalone non-member Offline Root CA with an Online Member Subordinate CA.  I am thinking it is overkill for our environment since we are only using the Cert for a wLAN PEP access to our IAS/NPS at the present time.
LVL 25
yo_beeDirector of Information TechnologyAsked:
Who is Participating?
arnoldConnect With a Mentor Commented:

You can have your Offline CA as a VM.
You need a CA online to issue certificates as needed.
yo_beeDirector of Information TechnologyAuthor Commented:
Question I have is what is the difference of a Root CA vs Subordinate CA issuing a Cert?
Not sure the context of your question.
The CA issuing certificates has to be running on a member server of a domain.
There can only be one root CA. You can have multiple subordinate certificate issuing CAs.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

yo_beeDirector of Information TechnologyAuthor Commented:
What's the purpose of not just having a Root CA if the requirements are very mininual.

Do you really need a root offline with a subordinate online ?
The offline provides for a security mechanism. I.e. if the ROOT CA is compromised through access, all certificates become suspect. If the subordinate issuing CA is compromised, you Would on the root CA revoke the subordinate certificate and issue a new subordinate certificate.  This way you impact will be narrower I.e. you have two issuing CAs and the CRL will cancel only a subset of certificates issued by the compromised subordinate CA.
yo_beeDirector of Information TechnologyAuthor Commented:
Thanks for the details on this.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.