Solved

offline root CA question

Posted on 2014-10-01
2
167 Views
Last Modified: 2014-10-05
Can someone tell me if it is possible to create a MSFT offline root CA in a workgroup, and not install any online subordinate CA?  
i.e. if I need to process a cert, bring the offline root CA online to process then take offline again. its a security requirement if you are wondering about the question.

I just need to know if this is possible with the CRL publishing etc

thx - S
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40356121
It's possible (well, I don't think it will accept being in a workgroup, but you can give it a domain of its own, build it as a virtual machine in hyper-v, and shut the whole machine down when not in use)

However, while for issuing CAs in an enterprise, I usually recommend using the MS CA, for offline roots I usually recommend using the XCA standalone CA - this is self-contained (perhaps obviously, will need a webserver to host its CRL, but this can be shared with an issuing CA) and can be easily stored onto removable media and placed in a safe etc when not in use, if you want more security (the db is encrypted, however, and has no web interface, so can be part of your usual backup cycle, depending on how paranoid you want to be about it :)
0
 

Author Closing Comment

by:siber1
ID: 40362383
thx Dave
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question