|
Posted by Brian Komar \(MVP\) on March 20, 2008, 11:03 am
If you were Registered and logged in, you could reply and use other advanced thread options
Almost.,
You want to deploy an offline root CA.
Check out the best practices white paper (www.microsoft.com/pki) or look at
getting a copy of the PKI book from MS Press (several threads on here
referencing it).
You cannot just power off an enterprise CA, as it is a member of the domain.
Only a standalone CA can be powered off as you require.
There are lots of little gotchas discussed in the two sources I provided.
Brian
> We want an infrastructure involving two CAs, an enterprise root CA on the
> parent domain and a subordinate CA to do all the work on the child domain.
>
> 1. Right now we're decomissioning our Enterprise Root off of the PDC on
> our
> Forest Root domain and want to create a brand new Enterprise Root CA on
> its
> own server.
>
> 2. On the child domain we want to build a subordinate CA and do all of the
> cert publishing off that box (nothing is on the parent domain which is
> also
> the forest root).
>
> 3. After the subordinate CA is set up, we can just power off the
> Enterprise
> root CA, correct? What about security updates?
>
> 4. What is the proper setup for this chain to work? Any special
> considerations or "gotchas" we need to know about?
>
> Thanks!
| 
XML site map