none
Changing an online root ca with online sub ca to offline root ca RRS feed

  • Pergunta

  • Hi There,

    We currently have a two tier PKI (online root and online sub issuing server)

    I'm wondering how to get this so the root is offline as should be.

    We only issue some certs for RDP server ( Not sure why we have it really...) This is more for my understanding.

    CDP and AIA are default settings/locations.

    Do i need to renew the root cert, change the aia and cdp to say a separate web server and then install the cert on the sub ca, 

    its the aia and cdp stuff that's throwing me...can the root just look at its default location? e.g. \\server\certenrol?

    Is it then the sub i need to change the aia and cdp to the web server? (what happens then if i leave the default entries for ldap etc? or is it okay because they would exist in both locations? (web and local file directory))

    So really, what needs to be set in the aia and cdp values and where would they be stored if i was going to use a separate web server. 

    Does this action need to be done on the root and the sub or just one or the other? (as the sub wont be able to see the root i guess its the sub?) Would i just be copying the roots crl file and cert to a location on this web server specified in the aia/cdp settings on the root server? (or does the sub ca just look to AD if you publish the crl and cert from the root ca there? then would the default/existing settings for the sub be okay as its an online enterprise sub?

    is it something like clients look at aia/cdp on sub server  > sub server looks at aia/cdp on root for its sub cert (published in AD?)

    Im confused ._.


    Even then getting that all sorted, what about existing certs? As the aia and cdp locations will have changed on the sub ca i guess they wil stop working? how would i get round that? do i need to rei-issue new ones and let the others expire?

    I might be over complicating this but i cant seem to find information on how it all fits together in this circumstance. Most seem to be setting up a new ca or migrating rather than taking an online one offline.

    Sorry if this is unclear and i am rambling a bit.. i have a general understanding but as you can see there's gaps ._.

    quinta-feira, 9 de julho de 2020 00:08

Todas as Respostas

  • Hello,
    Thank you for psoting in our TechNet forum.

    The standalone offline root CA should not be installed in the domain. As a matter of fact, it should not even be connected to a network at all.
    So your root CA is in the domain and online, is that right? 

    We have not done such test, you can try to change an online root ca with online sub ca to offline root ca in test lab. If it is OK, then in your productive environment.

    But I think if your existing certificates are not too much, you can re-set up a new two-tier CA with offline root ca and online sub CA.

    AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
    https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    quinta-feira, 9 de julho de 2020 09:53
    Moderador
  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    segunda-feira, 13 de julho de 2020 03:42
    Moderador
  • Hi There,

    Thanks for the response.

    I think i'll try setup a lab for testing.

    I may end up building a new setup for our particular instance. I was just wondering if anyone had tried to make a online root ca offline and wondered what the direct impact would be.

    Cheers

    terça-feira, 14 de julho de 2020 16:10
  • Hi,

    We can wait for someone had tried to make an online root ca offline to reply you.

    And after your test to make an online root ca offline, welcome you to update here so that it may help others.

    Thank you for your time and effort in advance.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    quinta-feira, 16 de julho de 2020 08:10
    Moderador