?
Solved

offline root CA question

Posted on 2014-10-01
2
Medium Priority
?
178 Views
Last Modified: 2014-10-05
Can someone tell me if it is possible to create a MSFT offline root CA in a workgroup, and not install any online subordinate CA?  
i.e. if I need to process a cert, bring the offline root CA online to process then take offline again. its a security requirement if you are wondering about the question.

I just need to know if this is possible with the CRL publishing etc

thx - S
0
Comment
Question by:siber1
2 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 40356121
It's possible (well, I don't think it will accept being in a workgroup, but you can give it a domain of its own, build it as a virtual machine in hyper-v, and shut the whole machine down when not in use)

However, while for issuing CAs in an enterprise, I usually recommend using the MS CA, for offline roots I usually recommend using the XCA standalone CA - this is self-contained (perhaps obviously, will need a webserver to host its CRL, but this can be shared with an issuing CA) and can be easily stored onto removable media and placed in a safe etc when not in use, if you want more security (the db is encrypted, however, and has no web interface, so can be part of your usual backup cycle, depending on how paranoid you want to be about it :)
0
 

Author Closing Comment

by:siber1
ID: 40362383
thx Dave
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question