Solved

offline root CA question

Posted on 2014-10-01
2
152 Views
Last Modified: 2014-10-05
Can someone tell me if it is possible to create a MSFT offline root CA in a workgroup, and not install any online subordinate CA?  
i.e. if I need to process a cert, bring the offline root CA online to process then take offline again. its a security requirement if you are wondering about the question.

I just need to know if this is possible with the CRL publishing etc

thx - S
0
Comment
Question by:siber1
2 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40356121
It's possible (well, I don't think it will accept being in a workgroup, but you can give it a domain of its own, build it as a virtual machine in hyper-v, and shut the whole machine down when not in use)

However, while for issuing CAs in an enterprise, I usually recommend using the MS CA, for offline roots I usually recommend using the XCA standalone CA - this is self-contained (perhaps obviously, will need a webserver to host its CRL, but this can be shared with an issuing CA) and can be easily stored onto removable media and placed in a safe etc when not in use, if you want more security (the db is encrypted, however, and has no web interface, so can be part of your usual backup cycle, depending on how paranoid you want to be about it :)
0
 

Author Closing Comment

by:siber1
ID: 40362383
thx Dave
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Read this checklist to learn more about the 15 things you should never include in an email signature.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
how to add IIS SMTP to handle application/Scanner relays into office 365.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now