Solved

offline root CA question

Posted on 2014-10-01
2
170 Views
Last Modified: 2014-10-05
Can someone tell me if it is possible to create a MSFT offline root CA in a workgroup, and not install any online subordinate CA?  
i.e. if I need to process a cert, bring the offline root CA online to process then take offline again. its a security requirement if you are wondering about the question.

I just need to know if this is possible with the CRL publishing etc

thx - S
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40356121
It's possible (well, I don't think it will accept being in a workgroup, but you can give it a domain of its own, build it as a virtual machine in hyper-v, and shut the whole machine down when not in use)

However, while for issuing CAs in an enterprise, I usually recommend using the MS CA, for offline roots I usually recommend using the XCA standalone CA - this is self-contained (perhaps obviously, will need a webserver to host its CRL, but this can be shared with an issuing CA) and can be easily stored onto removable media and placed in a safe etc when not in use, if you want more security (the db is encrypted, however, and has no web interface, so can be part of your usual backup cycle, depending on how paranoid you want to be about it :)
0
 

Author Closing Comment

by:siber1
ID: 40362383
thx Dave
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Let's recap what we learned from yesterday's Skyport Systems webinar.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question