Windows PKI with offline root (maybe with OpenSSL) - Possible?

pki ssl windows-server-2008 openssl certificate-authority

I'm trying to setup a two-tier PKI and I have a ton of questions. Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I correct?

The setup I was considering was one Root CA and multiple intermediates (for different purposes). So, the root could be a standalone windows standard or Linux + OpenSSL (don't know if this is possible/advisable). One of the intermediate CAs is to be part of the AD (auto-enrollment and such).

So, my questions are:

Can the root be standalone (not part of the AD)? Will this cause any problems with the certificate chain or such?

Can the root be Linux + OpenSSL? Will this be harder to manage?

Or is there a workaround for the tombstone limit?

Thanks.

See :http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx[1] and http://pki-tutorial.readthedocs.org/en/latest/advanced/index.html[2] for references.


Microsoft specifies that the offline root CA machine should not be a member of a domain, so it's not going to cause you any problems, and it makes the whole issue of AD tombstone lifetime issues moot. To wit:

Set up a server that runs Windows that you will use for the root certification authority. The server should not be a member of any domain, should be disconnected from the network, and should be physically secure.

I haven't attempted extensive interoperability testing with OpenSSL and the Windows CA but, in principle, it should work fine-- it's all standards-based PKI. Certainly, I've signed certs for Windows servers using OpenSSL many, many times w/ no ill effects. As long as you're comfortable using the OpenSSL tools to issue the certs for your second tier CAs it won't cause you any specific management issues.

I see no particular value from deploying the root CA using one set of tools and the intermediate(s) on another. You certainly can, but I don't see how that "buys" you anything.


I'm trying to setup a two-tier PKI and I have a ton of questions. Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I correct?

Correct. Your offline root CA will be a workgroup computer. You will only turn it on for the purposes of renewing the issuing CA certificates and publishing CRLs. You typically will distribute the root's public key/cert to all of the clients by way of GPO.

The setup I was considering was one Root CA and multiple intermediates (for different purposes). So, the root could be a standalone windows standard or Linux + OpenSSL (don't know if this is possible/advisable). One of the intermediate CAs is to be part of the AD (auto-enrollment and such).

I would not try to mix and match Windows and Linux in a single PKI. There's no benefit to be gained from doing so, and you just make management of the PKI more complex.

Related

Puppet error on already installed package on centos
How to make Nginx forward the original host name
How do fiber Ethernet transmitters set their power output?
Python, "you don't have permission to access that port" [closed]
SSH: prevent from asking for passphrase when ssh-agent auth fails
Server crashes Sundays at 6 a.m. - out of memory
Troubleshooting network latency
Change the Windows Automatic Updates Schedule on Server Core
do SSH keys have to be unique to the service they are used for?
How to parse OpenFlow packets using tcpdump capture file programmatically
Apache2 conditional section based on port
Debugging sendmail - dsn=5.0.0