Offline Root CA

In this post, I will be talking about Installing offline root CA server 2003, to help distribute digital certificates in a secure and managed manner.

PKI or Public Key Infrastructure is set or policies and procedures to create, manage, store, use, and revoke digital certificates and manage encryption keys. The fundamentals elements in PKI are the public keys and the private keys, and how to manage trusts between entities consuming digital certificates.

Microsoft has a server role for certificate services, and they offer the ability to deploy different CA roles out of the box. One of the recommendations when deploying PKI is to deploy an offline root CA. This CA is not connected to the network, not joined to any domain, and is always turned off.

The whole purpose of the offline root CA is to create digital certificate for other CA servers in the hierarchy, and to maintain a CRL or Certificate Revocation List. From time to time, the security administrator should bring this server online when a new CA is to be deployed in the hierarchy, or to issue a CRL when the old one is about to expire.

Installing Offline Root CA on Server 2003

I wrote a guide that will help you in Installing offline root CA on Server 2003. The guide will explain how to write the CAPolicy.inf file, and how to do the actual installation of the offline root CA.

Furthermore, the guide will go over all post installation steps, like how to verify the installation, how to map namespaces of Active Directory, and how to configure Certificate Revocation List Distribution Points CDP and Authority Information Access AIA entries.

Moreover, the guide also includes some help on how to publish new CRLs, and how to set the validity periods of issued digital certificates. Finally, the guide also includes some tips on how to perform object access audit and finally how to publish CA certificates and CRLs in Active Directory.