Archived from groups: microsoft.public.win2000.security (
More info?)
That actually isn't a Microsoft guideline, that is a Cert Authority best
practice. Here is a paper from SANS that discusses root ca's.
http://www.sans.org/rr/papers/63/1322.pdf
Like I said in the previous post, if compromise or loss of your root causing a
complete rebuilding from scratch of your PKI environment is ACCEPTABLE to you,
you do not need a root ca.
If that is not acceptable, you need a root. The root will be offline and any
publishing of CRLs or certs from it will require the Nike Express (hands and
feet) for publishing. You will write the info to a CD or floppy or some other
transportable media and carry to a device that is on the network.
If an intermediate is compromised, you can use the root to invalidate all certs
from it and still keep your PKI infrastructure up and running. If your root is
compromised you throw it all out and start over.
Note my experience is corporate experience. If your friend said what he said to
you in any of the companies I have been with they would have tossed him out the
door and wouldn't have taken the time to see if he landed.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Harrison Midkiff wrote:
> Bob:
>
> I appreciate you reply to my post. I am in the process of reviewing the
> white papers. One question if I may...
>
> I need to deploy a CA server to enable me to do secure wireless with
> certificates. I know the best practice is to install an Enterprise Root CA
> and then an Enterprise Subordinate Root CA. Once the subordinate is online
> you remove the root CA and put it in a safe location. A friend of mine said
> that was just in a perfect Microsoft world and it was not necessary, so I
> could just do a single Enterprise Root CA.
>
> What are your thoughts on that?
>
> Harrison Midkiff
>
> "Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
> news:VnmjENzYEHA.3316@cpmsftngxa06.phx.gbl...
>
>>Hi Harrison,
>>
>>If your domain is Windows 2000 AD, to set up a Windows Server 2003 CA, the
>>Active Directory schema must be upgraded to the Windows Server 2003
>
> schema.
>
>>You cannot install a Windows Server 2003 CA into a Windows 2000based
>
> schema.
>
>>The schema is updated to the Windows Server 2003 schema by running ADPREP
>>/Forestprep at a Windows 2000 domain controller with the Windows Server
>>2003 CD-ROM in the CD-ROM drive.
>>
>>I would like to recommend that you refer to the Windows Server 2003 help
>>files and the following two public whitepapers.
>>
>>
>
>
http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.as
>
>>p
>>
>>Best Practices:
>>
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/oper
>
>>ate/ws3pkibp.asp
>>
>>Have a nice day!
>>
>>Regards,
>>Bob Qin
>>Product Support Services
>>Microsoft Corporation
>>
>>Get Secure! - www.microsoft.com/security
>>
>>====================================================
>>When responding to posts, please "Reply to Group" via your newsreader so
>>that others may learn and benefit from your issue.
>>====================================================
>>This posting is provided "AS IS" with no warranties, and confers no
>
> rights.
>
>
>