Deciding Between Enterprise and Standalone Root Certification Authority in Windows Server 2012
Deciding Between Enterprise and Standalone Root Certification Authority in Windows Server 2012
This is part 4 of using Public Key Infrastructure (PKI) and Private Key Cryptography for your Windows Server 2012 environment.
Part 1: Selecting a Key Size for Your Root Certificate Server in Windows Server 2012 AD CS.
Part 2: Selecting a Cryptographic Key Provider in Windows Server 2012 AD CS.
Part 3: How Long Does It Take to Generate an Asymmetric Cryptography Key Pair?
In this post, we’ll look at the difference between Enterprise and Standalone Root Certification Authority and which is right for you.
One of the most important decisions you will make about your infrastructure involves the details for your Root Certification Authority (CA). And one of the first questions you’ll need to answer is whether to implement an Enterprise or Standalone Certification Authority.
Figure 1. AD CS Configuration – Specify an Enterprise or Standalone CA.
The Difference Between Enterprise and Standalone
An Enterprise CA is integrated with Active Directory. The server will use domain services for certificate management, integrates with the directory for naming and authentication, and provides a ton of other integration points that simplify the user experience.
You should use an Enterprise CA for issuing end-entity, or user and computer, certificates. It is fantastic in that role. A root CA should never be an Enterprise CA because that would expose the root CA to increased risk of attack or misconfiguration. It is considered an extremely bad practice in all cases. Never, ever create an Enterprise Root CA. I will find and personally humiliate you.
A Standalone CA is one that doesn’t integrate with AD. This is a great implementation choice for many scenarios including non-AD clients, offline servers, or simply because you don’t want to use Active Directory to manage certificates.
The main drawback with a Standalone CA is that it needs to be backed up on its own instead of relying on Active Directory replication. Another possible drawback is that users may need to authenticate using separate credentials if the Standalone CA is not part of a domain. These drawbacks have good solutions but should be considered before deployment.
Conclusion
Deploy your Root CA as a standalone that issues certificates to other CAs and then take it offline to minimize its exposure to attack. For all other servers, consider the benefits and drawbacks before you deploy. Just remember that PKI is like a tattoo – you should consider your choices permanent, and fixing bad decisions is expensive and painful.
If you want more Windows PKI articles please be sure to drop me a comment.
Take care!
Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor
You May Also Like
Active Directory Certificate Services, AD CS, CA key pair, CDP, Certificate Revocation List Distribution Point, Certification Authority, Crypto, Cryptography, CrytoAPI, OpenSSL, PKI, Public Key Infrastructure, Root Certification Authority, RSA, Standalone CA
A Simple Introduction to Cisco CML2
0 3703 0Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2
Cable Testers and How to Use them in Network Environments
0 668 1This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments
Configuring Windows Mobility Center and How to Turn it On and Off
1 1413 1Video transcription Steve Fullmer: In our Windows training courses, we often share information about the Windows 8.1 Mobility Center. Mobility Center was introduced for mobile and laptop devices in Windows 7. It’s present and somewhat enhanced in Windows 8. Since we don’t have mobile devices in our classrooms, I decided to take a little bit … Continue reading Configuring Windows Mobility Center and How to Turn it On and Off
See what people are saying...