Deciding Between Enterprise and Standalone Root Certification Authority in Windows Server 2012

Home > Blogs > Security > Deciding Between Enterprise and Standalone Root Certification Authority in Windows Server 2012

Deciding Between Enterprise and Standalone Root Certification Authority in Windows Server 2012

Like This Blog 1 Mike Danseglio
Added by August 30, 2013

This is part 4 of using Public Key Infrastructure (PKI) and Private Key Cryptography for your Windows Server 2012 environment.

Part 1: Selecting a Key Size for Your Root Certificate Server in Windows Server 2012 AD CS.
Part 2: Selecting a Cryptographic Key Provider in Windows Server 2012 AD CS.
Part 3: How Long Does It Take to Generate an Asymmetric Cryptography Key Pair?

In this post, we’ll look at the difference between Enterprise and Standalone Root Certification Authority and which is right for you.

One of the most important decisions you will make about your infrastructure involves the details for your Root Certification Authority (CA). And one of the first questions you’ll need to answer is whether to implement an Enterprise or Standalone Certification Authority.

001-ad-cs-setup-type-enterprise-or-standalone

Figure 1. AD CS Configuration – Specify an Enterprise or Standalone CA.

The Difference Between Enterprise and Standalone

An Enterprise CA is integrated with Active Directory. The server will use domain services for certificate management, integrates with the directory for naming and authentication, and provides a ton of other integration points that simplify the user experience.

You should use an Enterprise CA for issuing end-entity, or user and computer, certificates. It is fantastic in that role. A root CA should never be an Enterprise CA because that would expose the root CA to increased risk of attack or misconfiguration. It is considered an extremely bad practice in all cases. Never, ever create an Enterprise Root CA. I will find and personally humiliate you.

A Standalone CA is one that doesn’t integrate with AD. This is a great implementation choice for many scenarios including non-AD clients, offline servers, or simply because you don’t want to use Active Directory to manage certificates.

The main drawback with a Standalone CA is that it needs to be backed up on its own instead of relying on Active Directory replication. Another possible drawback is that users may need to authenticate using separate credentials if the Standalone CA is not part of a domain. These drawbacks have good solutions but should be considered before deployment.

Conclusion

Deploy your Root CA as a standalone that issues certificates to other CAs and then take it offline to minimize its exposure to attack. For all other servers, consider the benefits and drawbacks before you deploy. Just remember that PKI is like a tattoo – you should consider your choices permanent, and fixing bad decisions is expensive and painful.

If you want more Windows PKI articles please be sure to drop me a comment.

Take care!
Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor

Videos You May Like

Creating Users and Managing Passwords in Microsoft Office 365

0 642 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

How to clone a Windows Server 2012 or 2012 R2 Domain Controller

3 1482 3

One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that … Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 608 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

See what people are saying...

  1. Avatar Alicia

    Hi !Can you please let me know what are the best practices for BC of Win 2012 Root Certificate Authority? At the moment we are using VMware Site Recovery Manager but looking for alternatives. Thanks!

Share your thoughts...

Please fill out the comment form below to post a reply.