70-242 and Active Directory Certificate Service

---

Hello ITPro.TV! I am going through the AD CS section of the 70-242 exam course and had a question regarding enterprise root vs stand-alone CAs.

First, my understanding of the two is that stand-alone CAs are not domain joined and consequently cannot be used for auto-enrollment process via GPO. Whether you are using stand-alone CAs or Enterprise CAs, it is typically accepted as a best security practice to keep the root CA "offline".

This brings up a flurry of questions from me.... Hopefully They are quick and easy to answer.

1. If you keep your enterprise root CA offline, what about domain "trust" issues when the SID of the computer object tombstones while the server is offline for an extended period of time?

2. Windows updates? How are you supposed to apply Windows updates to an offline root CA? Let's say your environments patching policy is such that patches must be applied within 30-days of release.

3. Can you have enterprise subordinate CAs that use a stand-alone (non domain joined) root CA? That way you don't have to deal with domain integration on the root, but can still use auto-enrollment features?

4. When (if ever) is it acceptable to use an enterprise root CA that stays online at all times?

Regards,
Adam Tyler

Hey @Adam-Tyler ,

A root CA is almost always configured as an offline, stand-alone CA for security reasons. If the root CA is compromised, the entire CA infrastructure is compromised. All issued certificates have to be revoked, and the CA infrastructure rebuilt from the top.

So your understanding is correct, the offline stand-alone root CA cannot be used for auto-enrollment. But this is ok, as the root CA is only used to issue certificates to the first level of subordinate CAs. After the subCA certificates are issued, the root is taken offline.

So for your questions,

1. Because the root CA will be offline, it should not be configured on a domain member. By default, computers change their password every 30 days, and if the root is kept offline for longer than this, trust issues will occur. Because the root CA doesn't issue certificates to users or computers, there is no need to store any information in Active Directory, so it should be configured as stand-alone, not enterprise.

2. Because the root CA is offline, and stand-alone, they usually fall outside of update policies. They can be brought online occasionally to apply updates if you have to, but they are powered off, so little chance for compromise. Depending on your CRL lifetime, the root CA might only be brought online once a year. So when you do bring it online, plan accordingly, there will be a few updates ;)

3. Yes! This is the best practice for a CA hierarchy. The offline, stand-alone root CA is configured first. Then, enterprise subordinate CAs are configured, and request subCA certificate from the root. Once they are configured, the root is taken offline. The subordinates are enterprise CAs, so they store their information in Active Directory, and support auto-enrollment for users and computers.

4. Not that I'm aware of. I have used a single-tier hierarchy in test labs, where my root CA was also my issuing CA, but never in production. The root CA is always stand-alone and offline. The root CA isn't used to issue certificates, other than to subordinate CAs.

Hope this clears things up! Coincidentally, I am shooting shows on this very topic this week. If you get a chance, join us in the chat room in the afternoons!