Tuesday, January 29, 2008 3:19 AM
Anyone have a hint for me here. I Have an child domain deployed in a forest with an "empty root". I need to enable certificate services in a child domin and am trying to plan a heirarchy. I do see lots of documentation about doing an offline root,however I do not believe I will have that luxury. So in my heirarch does it matter if I put the enterprise root in my forest root and subordinate ca in the child domain?
Saturday, February 02, 2008 5:20 AM
The offline root recomendiation, aka a multi-tiered hiearchy, is a security recommendation to ensure that the certificate chain is not easily compromised. It should be noted that the CA structure and the domain structure are independent so as long as you set the correct permissions on the templates for enrollment you can place your Enterprise CA anywhere in the forest. I would recommend having an offline standalone CA and a subordinate Enterprise CA as your issuing CA. There are of course many things to consider when planing a PKI heirarchy and the following book is a good reference: http://www.microsoft.com/mspress/books/6745.aspx. I would also recommend reading the following papers as well:
Designing a Public Key Infrastructure:
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure: