Standalone Offline Root CA and Ent Subordinate CA


  • We have multiple AD Forests and wish to design a Centralized CA Infrastructure. The certificates will be issues to different types of resources in each of these AD Forests e.g. Computers, Servers, Networking Devices, non-windows devices etc. 

    Will the below design work out for our scenario:

    In HO AD Forest - Build a Standalone Root CA (offline) & Enterprise Subordinate CA - Will handle issusing for certs to the HO AD

    In the remaining AD Forests - Build a Enterprise Subordinate CA. Import the Offline Root CA from HO AD.

    If this is not a workable solution, kindly advice what best suits such an environment where there are multiple untrusted AD Forests which needs to be managed from a centralized CA Infrastructure.

    Friday, October 25, 2013 7:59 AM


All replies

  • this is workable solution. If your forests have two-way trusts with HO forest, you may consider to use cross-forest certificate enrollment which allows you to place all CAs in the single forest.

    but in any way, you still place subordinate CAs in all forests and deegate management to a corresponding forest administrators.

    My weblog:
    PowerShell PKI Module:
    Check out new: PowerShell FCIV tool.

    Friday, October 25, 2013 11:13 AM
  • Can't i have one Standalone Offline Root Server and a couple of Standalone Subordinate CA Servers in the Head office, none of these CA Servers will be domain joined and still be able to issue certificates to servers, clients, devices regardless of the AD Forest/Domain they are part of? I am novice to PKI, so bare with my ignorance here.
    Friday, October 25, 2013 2:13 PM
  • It is not a recommended practice, because you will loose many enterprise-level features, like certificate templates, direct enrollment from MMC, autoenrollment, enrollment web services (CEP/CES) and so on. Also you will have to manage authentication information when clients will request certificates, someone should approve all requests, because Standalone CA requires manual approval for each request. Standalone CA is best suited for CAs that do not issue certificate to end entites.

    My weblog:
    PowerShell PKI Module:
    Check out new: PowerShell FCIV tool.

    Friday, October 25, 2013 5:35 PM
  • Thanks for your response.

    One of the challenges that we have is that we cannot establish AD Trusts between these AD Forests. We also have some systems in workgroup, we have Linux, Unix, Network devices, appliances that need to be assigned a certificate, non of these systems belong to any AD Forest.

    I am completely new to ADCS, and am kinda lost here.

    Monday, October 28, 2013 11:09 AM
  • Then your solution is to build a common root CA (Standalone) and deploy subordinate CAs in each respective forest. Also, you may consider to install NDES (which is a Microsoft implementation of SCEP) in account forests. *nix and some network devices can utilize this protocol for certificate enrollment. Consult with appropriate OS and device documentation to determine whether they support SCEP.

    My weblog:
    PowerShell PKI Module:
    Check out new: PowerShell FCIV tool.

    • Marked as answer by Geek74 Monday, October 28, 2013 5:50 PM
    Monday, October 28, 2013 11:32 AM
  • I have run into Certificate Revocation issue when testing this deployment in my lab. In my Management AD Forest, I have created an Offline Standalone CA and an Enterprise Subordinate CA. In this environment I have also created a Web Server where I am publishing the AIA and CRL info. I have issued a certificate to one of the domain clients and verified the revocation using (certutil -URL certificate_name successfully.

    I have another Resource AD Forest, where I have installed another Enterprise Subordinate CA and a Web Server to publish CRL and AIA info. This Enterprise Subordinate CA from the Resource AD Forest gets its certificate from the Offline Standalone Root CA in the Management AD Forest. Now when I issue a certificate to a Domain Client in the Resource AD Forest and run a Verification test (certutil -URL Certificate_Name), all tests pass expect for Certs from AIA fail revocation.

    My question here is, if we should have only one Web Server where all AD Forests Ent CA's will publish the CRLs and  AIA information or can they be published on different Web Servers each in their respective AD Forests.

    Kindly advice


    Monday, November 25, 2013 8:35 AM
  • if you wish to use single web server for all CAs (make sure it is a NLB cluster), then configure each CA to publish CRLs somewhere locally. Then create a task in the Task Scheduler which will copy all required files to a web server over a protocol you want, WebDAV, http, ftp, etc.

    My weblog:
    PowerShell PKI Module:
    Check out new: PowerShell FCIV tool.

    • Marked as answer by Geek74 Thursday, December 19, 2013 6:24 AM
    Monday, November 25, 2013 9:14 AM
  • I have a similar situation. We have 2 forests (A and B) without any trust and there is no intention to establish trust, Each forest has its own PKI Hierarchy with enterprise root CA and SubCAs. The requirement is to have forest A users to enroll for certificates from Forest B as they need to access certain resources in Forest B.

    1. Is deploying another enterprise sub-CA in forest A that chains to enterprise Root CA in Forest B, a workable solution?

    2. If we use CEP/CES; what is the preferred authentication method? username/password? which username / password is this? if use certificate based authentication; how to get this certificate, I am confused with configuration options for CEP/CES.

    pardon my ignorance on the subject, and appreciate your help!

    Tuesday, July 26, 2016 1:31 PM
  • Answered in other thread. 

    Please limit questions to a single thread.

    Tuesday, July 26, 2016 5:12 PM