2

I am setting up a PKI which will initially be used internally. As we may grow our use of this I have opted for a three tier hierarchy - Offline Root and Policy CAs (one Policy CA at the moment for internal use), and online issuing CAs. We had initially discussed using our Domain Controllers as the Issuing CAs rather than setting up dedicated ones.

I am now starting to have doubts about whether it is a good idea to have our DCs do certificate issuing. We have less than 1000 users, so our DCs aren't hugely taxed.

Does anyone have any suggestions for or against doing this?

We are currently running Windows 2003 Active Directory, but will be upgrading to Windows 2008 in the coming year. I'm setting up Windows 2008 PKI.

maweeras
  • 2,734
  • 2
  • 17
  • 23
dunxd
  • 9,632
  • 22
  • 81
  • 118

1 Answers1

3

A bit late but anyways. Its generally not recommended to deploy CA role on a DC. It makes it hard to upgrade the AD as you have to inplace upgrade the DC for newer OS releases. This is awkard if moving from a 32-bit OS based DC to 64-bit OS's like Windows Server 2008 R2. Additionally as the preference is to promote clean built new DCs as opposed to inplace upgrade, when it comes to demoting the old DC/CA combo it makes it awkward.

maweeras
  • 2,734
  • 2
  • 17
  • 23
  • 3
    Another good reason not to combine the DC and CA roles is that it is difficult/impossible to implement effective role-based separation for your CA on a DC. There are likely far more people that need admin access to the DC for support than you want to have access to your CA. – Ryan Fisher Oct 26 '11 at 14:59
  • 1
    PKI Issuing on a domain controller is considered weak security - violation of least privilege / violation of role separation. A CA, and a subCA is somewhat equivalent to the keys to the kingdom so it should be better protected. An offline root is a good start. Some PKIs require VPN-ins for issuances. SCEP based enrollment PKIs may have more than one CA - one for SCEP with short duration certs, and another CA specific to long lifespan trust relationship certs. – Brennan Apr 04 '12 at 22:43