Offline Root CA

Creating an offline Root CA

You would configure an offline root CA to ensure the reliability of your certificate infrastructure.

The root CA is self validating and also issues certificates to subordinate CAs, so if the root is compromised then all the subordinates are compromised too.

In order to create an offline CA you need to follow the steps below: (The steps below assume you have a DNS A record for enterpriseca pointing to the enterprise subordinate CA)

  1. Install a root CA on Microsoft Windows Server 2008 that is not a member of a domain
  2. Set the default certificate request policy to request pending.
  3. Configure the Certificate Revocation List (CRL) distribution point.
    1. Remove the http://, ldap:// and file:// distribution points and uncheck Publish Delta CRLs to this location.
    2. Add a http distribution point: http://enterpriseca/certenroll/<CA Name>.crl e.g. http://enterpriseca/certenroll/rootca-ca.crl and check Include in CDP extension of issued certificates.
    3. For the c:\windows\… distribution point ensure only Publish CRLs to this location is checked.
  4. Configure the Authority Information Access (AIA) distribution point.
    1. Remove the http://, ldap:// and file:// distribution points.
    2. Add a http distribution point: http://enterpriseca/certenroll/<hostname_CA Name>.crt e.g. http://enterpriseca/certenroll/rootca_rootca-ca.crt
  5. Publish the Root CA CRL list in Active Directory.
    1. certutil -setreg ca\DSConfigDN “CN=Configuration,DC=Domain,DC=com”
    2. certutil -setreg ca\DSDomainDN “DC=Domain,DC=com”
  6. Copy the CRL and CA certificates from the Root CA to the distribution points.
  7. Add the CA certificate to the Trusted Root Certification Authorities store (using a GPO or manual installation).
  8. Turn off root CA.

A good article I found which details the installation of an offline root CA and subordinate CA, step-by-step is here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s