4

I'm trying to setup a two-tier PKI and I have a ton of questions. Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I correct?

The setup I was considering was one Root CA and multiple intermediates (for different purposes). So, the root could be a standalone windows standard or Linux + OpenSSL (don't know if this is possible/advisable). One of the intermediate CAs is to be part of the AD (auto-enrollment and such).

So, my questions are:

Can the root be standalone (not part of the AD)? Will this cause any problems with the certificate chain or such?

Can the root be Linux + OpenSSL? Will this be harder to manage?

Or is there a workaround for the tombstone limit?

Thanks.

See :http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx[1] and http://pki-tutorial.readthedocs.org/en/latest/advanced/index.html[2] for references.

rebasing
  • 43
  • 3

2 Answers2

3

I'm trying to setup a two-tier PKI and I have a ton of questions. Since there's the tombstone limit for the AD, I'm assuming that the root (which will be offline) shouldn't be part of the AD. Am I correct?

Correct. Your offline root CA will be a workgroup computer. You will only turn it on for the purposes of renewing the issuing CA certificates and publishing CRLs. You typically will distribute the root's public key/cert to all of the clients by way of GPO.

The setup I was considering was one Root CA and multiple intermediates (for different purposes). So, the root could be a standalone windows standard or Linux + OpenSSL (don't know if this is possible/advisable). One of the intermediate CAs is to be part of the AD (auto-enrollment and such).

I would not try to mix and match Windows and Linux in a single PKI. There's no benefit to be gained from doing so, and you just make management of the PKI more complex.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • I'd be interested to hear yout thoughts re: a single PKI for multiple operating systems being more complex. Having a single root of trust seems like it would be simpler to deploy than multiple. – Evan Anderson May 02 '13 at 15:35
  • I wasn't advocating having different root CAs for clients with different OSes on them - I was saying that having a root CA with one OS and an intermediate CA with a different OS adds complexity without much benefit. – Ryan Ries May 02 '13 at 15:37
  • You can still have a single root of trust... the certificates are standard. I just don't know what the overhead would be. – rebasing May 02 '13 at 15:38
  • @RyanRies - I see what you're saying. I don't see any particular value coming from mixing an OpenSSL-based CA root with Microsoft intermediates, personally. – Evan Anderson May 02 '13 at 15:40
  • Licencing and mixed environment ecosystems, mostly, but I wasn't sure if it'd be worth the hassle. – rebasing May 02 '13 at 15:42
3

Microsoft specifies that the offline root CA machine should not be a member of a domain, so it's not going to cause you any problems, and it makes the whole issue of AD tombstone lifetime issues moot. To wit:

Set up a server that runs Windows that you will use for the root certification authority. The server should not be a member of any domain, should be disconnected from the network, and should be physically secure.

I haven't attempted extensive interoperability testing with OpenSSL and the Windows CA but, in principle, it should work fine-- it's all standards-based PKI. Certainly, I've signed certs for Windows servers using OpenSSL many, many times w/ no ill effects. As long as you're comfortable using the OpenSSL tools to issue the certs for your second tier CAs it won't cause you any specific management issues.

I see no particular value from deploying the root CA using one set of tools and the intermediate(s) on another. You certainly can, but I don't see how that "buys" you anything.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331