Setting up an Enterprise CA RRS feed

  • Question

  • I know that for Federation I need to use a Trusted internet Root CA however for all the internal roles I can use my own CA.

    I have read the Windows PKI docs and am still not sure how I want to proceed for my internal CA so I was wondering what others have done. I want something that I can use for other PKI tasks so it I don't want to just toss somthing in there.

    My current throught is to setup an Enterprise CA and have it signed by a Trusted Internet CA, that way can create deply internal certs easily and the managment of the root for revoking the Enterprise CA is handled by a thrid party. However this method does have a reoccuring cost, but I think it is less that the MS documented offline root where you basicly creat a stand alone CA sign your Enterpise CA then mothball your root CA in a safe.

    Any recomendations?
    Wednesday, December 17, 2008 6:27 PM

All replies

  • Hi,

    If you don't need any federation then you can safely use your internal Root CA.
    Just make sure all your clients trust this CA and you should be fine for Remote Access scenarios

    I can't imagine that using a subordinate CA from a Trusted 3rd Party CA is cheaper than a stand alone Root that you installed yourself!

    - Belgian Exchange Community : http://www.pro-exchange.be -
    Friday, December 19, 2008 8:47 PM
  • So is it just common then to create a single server with the Enterprise Root CA role that is online all the time?

    The MS Press books seem to indicate you need a stand alone CA that you take offline and keep secure to sign your Enterprise CA that stays online all the time. Does anyone do this, or is it over kill?
    Tuesday, December 23, 2008 5:21 PM
  • Stand Alone Offline Root is indeed the recommended way if you want to go high secure...

    Do you need high security in this case? Do you want to do all the burden of a Stand Alone Offline?
    As long as you don't use it for encrypting files and only for Server Authentication I would say that it is sufficient that you only have an Online Root.

    If your keys should be compromised then you just create a new Keypair and new certs.  But I guess your servers already are physical secure and the chance of that happening is rather small. 
    Breaking the keys at this time still takes years and if someone would catch a specific encrypted stream would someone have any advantage of that when they could read it so many years later?

    what is your scenario? Securing Web traffic, Exchange and OCS then I would say you are safe with only one Online Root CA

    - Belgian Exchange Community : http://www.pro-exchange.be -
    Thursday, December 25, 2008 1:10 PM