OmniSecu.com Logo  
omnisecu.com free mcse ccna rhce linux java learning
omnisecu.com free mcse ccna rhce linux java learning
          Sharefacebook twitter google+ google bookmark yahoo bookmark delicious digg linkedin pinterest reddit stumbleupon evernote diigo blinklist blogmarks livejournal email feed

Tutorials

Stand-alone Root Certificate Authority (CA)

External Resources

The root Certificate Authority (CA) is the most important Certificate Authority (CA) and it is the first Certificate Authority (CA) in a Public Key Infrastructure (PKI).

Only one Certificate Authority (CA) can authorize itself, and it is the Root Certificate Authority (CA). The importance of the Root Certificate Authority (CA) is that only the Root Certificate Authority (CA) can issue a certificate to itself.

The subordinate Certificate Authorities (CAs) should be authorized by the Root Certificate Authority (CA). The Root Certificate Authority (CA) can issue certificates to Subordinate Certificate Authorities (CAs) and Subordinate Certificate Authorities (CAs) are then used to issue certificates to users, computers etc.

In a secure Certificate Authority (CA) hierarchy, the Root Certificate Authority (CA) should be an offline (out of the network) stand-alone Root Certificate Authority (CA). The possibility of compromising the Public Key Infrastructure (PKI) by hacking the private key of the Root Certificate Authority (CA) can be avoided to a great extent when the Root Certificate Authority (CA) is kept offline (out of the network). The offline root can be used only to issue CA certificates to its subordinate CAs.

We need to install the Root Certificate Authority (CA) as Standalone Certificate Authority (CA), because we need to make sure the Root Certificate Authority (CA) is offline and secured. The Root Certificate Authority (CA) cannot have network connections and cannot be linked to any domain. If the Root Certificate Authority (CA) is a member server in a domain, it may lose its trust relationship with the domain. The offline Root Certificate Authority (CA) cannot be a domain controller also, because domain controllers cannot be taken off the network indefinitely.

The prerequisites for installing a stand-alone offline root CA is listed below.

• The stand-alone offline Root Certificate Authority (CA) should not be a member of any domain or a domain controller.

• The computer name for the stand-alone offline Root Certificate Authority (CA) must be unique for the entire forest.

• A certificate revocation list (CRL) must be published. The CRL distribution point (CDP) must be accessible to users on the network and it should be included in the certificate.

• The Authority Information Access (AIA) distribution point needs to be configured for other CAs to verify the Certificate Authority (CA) chain.

• IIS (Internet Information Services) should be configured on the Certificate Authority (CA) server.

              Jajish Thomason Google+
Related Topics

No Related Topics Available

comments powered by Disqus


eXTReMe Tracker DMCA.com