Creating an offline Root CA
You would configure an offline root CA to ensure the reliability of your certificate infrastructure.
The root CA is self validating and also issues certificates to subordinate CAs, so if the root is compromised then all the subordinates are compromised too.
In order to create an offline CA you need to follow the steps below: (The steps below assume you have a DNS A record for enterpriseca pointing to the enterprise subordinate CA)
- Install a root CA on Microsoft Windows Server 2008 that is not a member of a domain
- Set the default certificate request policy to request pending.
- Configure the Certificate Revocation List (CRL) distribution point.
- Remove the http://, ldap:// and file:// distribution points and uncheck Publish Delta CRLs to this location.
- Add a http distribution point: http://enterpriseca/certenroll/<CA Name>.crl e.g. http://enterpriseca/certenroll/rootca-ca.crl and check Include in CDP extension of issued certificates.
- For the c:\windows\… distribution point ensure only Publish CRLs to this location is checked.
- Configure the Authority Information Access (AIA) distribution point.
- Remove the http://, ldap:// and file:// distribution points.
- Add a http distribution point: http://enterpriseca/certenroll/<hostname_CA Name>.crt e.g. http://enterpriseca/certenroll/rootca_rootca-ca.crt
- Publish the Root CA CRL list in Active Directory.
- certutil -setreg ca\DSConfigDN “CN=Configuration,DC=Domain,DC=com”
- certutil -setreg ca\DSDomainDN “DC=Domain,DC=com”
- Copy the CRL and CA certificates from the Root CA to the distribution points.
- Add the CA certificate to the Trusted Root Certification Authorities store (using a GPO or manual installation).
- Turn off root CA.
A good article I found which details the installation of an offline root CA and subordinate CA, step-by-step is here