Windows PKI with offline root (maybe with OpenSSL) - Possible?
I'm trying to setup a two-tier PKI and I have a ton of questions. Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I correct?
The setup I was considering was one Root CA and multiple intermediates (for different purposes). So, the root could be a standalone windows standard or Linux + OpenSSL (don't know if this is possible/advisable). One of the intermediate CAs is to be part of the AD (auto-enrollment and such).
So, my questions are:
Can the root be standalone (not part of the AD)? Will this cause any problems with the certificate chain or such?
Can the root be Linux + OpenSSL? Will this be harder to manage?
Or is there a workaround for the tombstone limit?
Thanks.
See :http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx[1] and http://pki-tutorial.readthedocs.org/en/latest/advanced/index.html[2] for references.
Microsoft specifies that the offline root CA machine should not be a member of a domain, so it's not going to cause you any problems, and it makes the whole issue of AD tombstone lifetime issues moot. To wit:
Set up a server that runs Windows that you will use for the root certification authority. The server should not be a member of any domain, should be disconnected from the network, and should be physically secure.
I haven't attempted extensive interoperability testing with OpenSSL and the Windows CA but, in principle, it should work fine-- it's all standards-based PKI. Certainly, I've signed certs for Windows servers using OpenSSL many, many times w/ no ill effects. As long as you're comfortable using the OpenSSL tools to issue the certs for your second tier CAs it won't cause you any specific management issues.
I see no particular value from deploying the root CA using one set of tools and the intermediate(s) on another. You certainly can, but I don't see how that "buys" you anything.
I'm trying to setup a two-tier PKI and I have a ton of questions. Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I correct?
Correct. Your offline root CA will be a workgroup computer. You will only turn it on for the purposes of renewing the issuing CA certificates and publishing CRLs. You typically will distribute the root's public key/cert to all of the clients by way of GPO.
The setup I was considering was one Root CA and multiple intermediates (for different purposes). So, the root could be a standalone windows standard or Linux + OpenSSL (don't know if this is possible/advisable). One of the intermediate CAs is to be part of the AD (auto-enrollment and such).
I would not try to mix and match Windows and Linux in a single PKI. There's no benefit to be gained from doing so, and you just make management of the PKI more complex.