How to offline an Enterprise Root CA

For internal PKI, I'm a big fan of using Enterprise vs. Stand-alone, for simplicity and ease of management. The problem is, I just can't find definitive answers on how to properly offline it. Most people say to not bother, and their justifications
are vague and nebulous. My Enterprise CAs are NOT DCs. I've given this a lot of thought, and these are the things I think need to be considered...
If you take the Enterprise root CA offline, you'll need to consider three things:
1. Change the Enterprise root CA's CRL publication interval to be longer than the periods for which the Enterprise root CA will be offline, and also probably disable delta CRLs on the Enterprise root CA for simplicity and ease of management. When you do
boot the Enterprise root CA, be sure to publish a new CRL from it into AD.
2. Make sure the Enterprise root CA isn't needed for anything but:
 a. The initial, one-time loading of the root certificate into AD for automatic distribution to clients by ADDS.
 b. Creating certificates for the subordinate/issuing CAs.
 c. Publishing the Enterprise root CA's CRL to AD for reading by the clients.
Is there anything else the Enterprise root CA needs to be online for?
3. By default, every computer account password expires every 30 days. This won't be a problem because when you boot the Enterprise root CA, it'll just change its computer account password if it has expired.
So, having said all of that, should I offline the Enterprise root CA? If not, why?

On Mon, 17 Feb 2014 08:14:20 +0000, Daniel L. Benway wrote:
The real question is whether or not I can or should shut down the Enterprise root CA after it has published the root certificate to AD, after I've created the sub/issuing CAs, and after I've published the root CA's CRLs to AD and changed the root
CA's CRL intervals to appropriate values.
Brian did answer your question. A PKI is all about trust, and the root of
that trust is the private key material of the root CA. The reason one
deploys a standalone, offline root CA in the first place to is to reduce
the possibility of an attack against the root CA's key material and the
accepted method to reduce that attack surface is to ensure that the root CA
is never attached to a network. That does not mean attach it to the
network for a while and then periodically afterwards, never means
never. The minute you attach the root CA to a network, you've reduced the
trust level and once a trust level is reduced, it cannot be increased
without redeploying.
Brian and I have both seen the argument that an offline Enterprise root is
easier to manage than an offline Standalone root and in practice, that
simply isn't the case:
1. Publishing the root CA certificate and CRL of an Enterprise root is, as
you point out, automatic, however, transferring the certificate and CRL via
removable media and then using certutil, given the infrequency of those
operations is a trivial procedure. Operationally you gain very little by
using an Enterprise root here, and taking advantage of the automatic
publication requires that the root be put on the network which defeats the
purpose of keeping it permanently offline in the first place.
2. Since the only certificates that a root should be issuing are for SubCAs
the advantage you get with an Enterprise root being able to use certificate
templates is pointless.
3. Any management functions or benefits you may be able to realize by
having the root joined to AD are obviated by the fact that you're planning
on having it offline and disconnected in the first place.
The bottom line here is that any perceived advantage of having a offline
root being an Enterprise CA as opposed to a Standalone root is defeated by
the simple fact of having it attached to the network at any point in its
lifetime. Security and trust trump ease of management in this case and as I've pointed out the actual ease of management versus the perceived ease of management is minimal at best.
Paul Adare - FIM CM MVP
Minds are like paragliders. They work best when open.

Similar Messages

  • How to configure Oracle Enterprise Manager for ASM RAC Database ?

    Dears,,
    We have two databases (Primary & Standby), each database has two instances
    Database version: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit
    How to configure Oracle Enterprise Manager for this environment ?
    I need documentation for this please.
    Many thanks & Regards,,

    Assuming an agent is running on the servers you want to monitor,
    navigate to the Agent home page (Via setup --> Agent)
    When in the agent home page select 'Add Database'and press [Go]
    Assuming yopur database now gets recognized, select the Configure icon and enter the password for dbsnmp.
    When done, press [Ok] to return to the agent home page.
    Regards
    Rob
    http://oemgc.wordpress.com

  • How to configure Oracle Enterprise manager 11.2.0.1 for ASM instance

    Hi All,
    Please let us know How to configure Oracle Enterprise manager 11.2.0.1 for ASM instance.
    Reagrds,
    Vikas

    Assuming an agent is running on the servers you want to monitor,
    navigate to the Agent home page (Via setup --> Agent)
    When in the agent home page select 'Add Database'and press [Go]
    Assuming yopur database now gets recognized, select the Configure icon and enter the password for dbsnmp.
    When done, press [Ok] to return to the agent home page.
    Regards
    Rob
    http://oemgc.wordpress.com

  • How do I find the root cause of a NetConnection closed event?

    Hi,
    I am maintaining a large project developed in Flex/Actionscript.
    The application is using tunneling (RTMPT), and we often get Netconnection "closed" events.
    There is no problem with the physical network.
    I think the event may be caused by either a TCP/HTTP/RTMP event, or may be caused by
    some function in the client calling close() on the connection.
    How can I find the root cause of the "closed" event being thrown?
    Thanks,
    David

    Thanks for the information.  It is helpful but it seems there must be a specification of
    what the client side is expecting, independent of any server implementation. 
    When I say client side, I mean the Adobe communication libraries.
    Where is the specification or source code for how the client libraries treat HTTP tunneled requests and responses?
    One question in particular:  How does the client side library treat a
       Connection: Keep-Alive
    versuse
       Connection:close
    HTTP header setting?

  • How to Install SQL Enterprise Manager ?

    The standard installation file which sap gives sql4sap.vbs doesnt install the Enterprise manager.
    How to install SQL Enterprise Manager (ECC6+Win2003).
    regards,
    dev

    Hi,
    Server type is normally "Database Engine". You can use the Dev. Studio to connect to various other types (e.g. Reporting Services, Analysis Service etc.)
    The Servername is the instance name you want to connect to. For a default instance it is your machinename, for a named instance it is Machinename\Instancename.
    Authentication can be Windows Authentication if you are logged on as a local Admin. For an ABAP System only Windows Authentication is possible, for a JAVA System the SQL authentication is necessary, so that you can logon as 'sa' with the password you provided in the setup.
    Regards
      Clas

  • Acrobat Professional 6 can't display pdf ebooks in MetaProducts Offline Explorer Enterprise!

    Dear all,
    I have installed Adoe Acrobat Pro 6. Everything works fine. However, Acrobat can't view pdf-formatted files likes ebooks etc in MetaProducts Offline Explorer Enterprise 4.9. Could you please help me?
    Thank you!

    If you have a question about Acrobat Pro, I recommend the Acrobat
    forum. When you post there, you would want to say what you mean by
    "can't view" - if you get an error message, please quote it exactly.
    Since most people won't know what MetaProducts Offline Explorer
    Enterprise 4.9 is, a few words about the connection would be good
    (does it make the PDF files?)
    Aandi Inston

  • How so I protect my root file system? - x86 solaris 10 - zfs data pools

    Hello all:
    I'm new to ZFS and am trying to understand it better before I start building a new file server. I'm looking for a low cost file server for smaller projects I support and would like to use the ZFS capabilities. If I install Solaris 10 on a x86 platform and add a bunch of drives to it to create a zpool (raidz), how do I protect my root filesystem? The files in the ZFS file system are well protected, but what about my operating system files down in the root ufs filesystem? If the root filesystem gets corrupted, do I lose the zfs filesystem too? or can I independantly rebuild the root filesystem and just remount the zfs filesystem? Should I install solaris 10 on a mirrored set of drives? Can the root filesystem be zfs too? I'd like to be able to use a fairly simple PC to do this, perhaps one that doesn't have built in raid. I'm not looking for 10 terabytes of storage, maybe just four 500gb sata disks connected into a raidz zpool.
    thanks,

    patrickez wrote:
    If I install Solaris 10 on a x86 platform and add a bunch of drives to it to create a zpool (raidz), how do I protect my root filesystem?Solaris 10 doesn't yet support ZFS for a root filesystem, but it is working in some OpenSolaris distributions.
    You could use Sun Volume Manager to create a mirror for your root filesystem.
    The files in the ZFS file system are well protected, but what about my operating system files down in the root ufs filesystem? If the root filesystem gets corrupted, do I lose the zfs filesystem too?No. They're separate filesystems.
    or can I independantly rebuild the root filesystem and just remount the zfs filesystem? Yes. (Actually, you can import the ZFS pool you created).
    Should I install solaris 10 on a mirrored set of drives?If you have one, that would work as well.
    Can the root filesystem be zfs too?Not currently in Solaris 10. The initial root support in OpenSolaris will require the root pool be only a single disk or mirrors. No striping, no raidz.
    Darren

  • How to make settings of root folder , while creating customize JSP Pages.

    Hi All,
    I am developing customized BI Beans Application.While the development ,I gose to compnent pallete and try to access BI Beans Objects which are on same workspace . But in the location tab it shows root foloder and only one object . I am unable to access another object which are belongs to same workspace .
    My question is how to make setting of root folder (there is no any option) and how to access other objects from same workspace
    Please guide me, if someone have any idea
    ViSHAL

    Can you describe the steps in detail?
    Which tag are you using from the component Palette?
    Also do you have multiple workspaces in your OLAP source DB?

  • How do you change Site/Root Folder?

    How do you change Site/Root Folder? I have looked for ages,
    but i can't find how to change the root folder, it keeps trying to
    put everything in my first websites folder. Please Help.

    > it keeps trying to put everything in my first websites
    folder
    when you start a new project, you need to make a NEW site
    definition for it.
    dw menu->site->manage sites New site
    Alan
    Adobe Community Expert, dreamweaver
    http://www.adobe.com/communities/experts/

  • How to start Oracle Enterprise Manager(Oracle 9i) on Sun Solaris 9 platform

    Hi
    How to start Oracle Enterprise Manager(Oracle 9i) on Sun Solaris 9 platform and Oracle Enterprise Manager(Oracle 10G) on Sun Solaris 10 platform?
    Thanks.
    RJ.

    I need to use it to unlock some accounts.There is a SQL command to do that
    SQL> alter user <username> account unlock;
    Anyway...
    $ export ORACLE_SID=chucky
    $ emctl start dbconsole

  • How to request Administrator or root to execute java programs?

    How to request Administrator or root to execute java programs when the user is not enough permission?
    as same as following image:
    Windows : http://img151.imageshack.us/img151/6113/winrw5.gif
    Linux: http://img374.imageshack.us/img374/8990/linuxsj4.png
    Edited by: lauangus on 2008?10?13? ??9:15

    Dear Sys Admin,
    Would you please grant me and my group enough rights to do the tasks that have been assigned to us, we are using the following programs. They will need to asccess....
    Sincerely,
    lauangus
    Note: this will usually have to be accompanied by appropriate supervisor signatures and endorsements.

  • How to deploy DAC enterprise application on WebLogic Server

    hi,
    i have installed DAC server on Linux machine and DAC client on windows machine. I can able to log in to DAC by stand alone mode and
    Currently we are unable to login to the DAC 11g client by FMW(Web mode)
    To login into DAC client by FMW mode we need to deploy DAC enterprise application on WebLogic Server, could anybody help how to deploy DAC enterprise application on weblogic server ?
    Thanks in advance..
    Vinoth

    follow this doc http://docs.oracle.com/cd/E35287_01/fusionapps.7964/e14849.pdf
    mark if it helps

  • How i can dynamic changing root in JTree in swing?

    Hello, how i can dynamic changing root in JTree in swing?

    If u r willing to get your hands dirty and not be lazy, you can look around the code for the DefaultTreeTableModel and implement the setRoot functionality in the FileSystemModel. The code should not be too hard to figure out, cause it only replaces the root Object and fires a TreeStructureChanged notification.
    Set root functionality from DefaultTreeModel source (in your JDK installation directory)
         * Sets the root to root. A null root implies
         * the tree is to display nothing, and is legal.
        public void setRoot(TreeNode root) {
            Object oldRoot = this.root;
         this.root = root;
            if (root == null && oldRoot != null) {
                fireTreeStructureChanged(this, null);
            else {
                nodeStructureChanged(root);
        }ICE

  • Carousel News App Part - how to use in Enterprise Edition?

    Carousel News App Part - how to use in Enterprise Edition?
    I see it in the 365 but want to add aslo in the enterprise edition
    keren tsur

    Hi Keren,
    According to your description, my understanding is that you want to use Carousel News App Part in SharePoint server 2013 Enterprise edition.
    Per my knowledge, we can use the Carousel News App Part in SharePoint server 2013 Enterprise edition.
    We can download it from Codeplex:
    http://corporatenewsapp.codeplex.com or direct download and install the App from the Office & SharePoint App Store :
    http://office.microsoft.com/en-us/store/corporate-news-app-WA103532495.aspx.
    Is this web part you want?
    Best regards.
    Thanks
    Victoria Xia
    TechNet Community Support

  • No computer install iTunes / no intenet connect, how to offline completed setup new Ipad mini

    I was bought new ipad mini 16GB.
    First, open that box, turn on power, first step, confirm time, and next step is need connect wifi/ or iTunes.
    my question is how to skip that steps.
    because no wifi connecting , no iTunes install, or my computer can't install iTunes. no internet service.
    how to offline to completed install, and used it.
    thanks a lot.

    thanks, would you mind to tell me,
    if that iTunes (is it also desktop connecting interent)
    or download itunes, and installed, and connecting iPad mini, setup completed? (Off-line)
    or must connect internet, is it only get/download file(s), how many size (MB) need download?

Maybe you are looking for