Install an Offline Root CA

An offline root CA should be used to anchor the hierarchy. The offline root CA is easier to protect because it can be locked in a vault or another secure area. It needs no connection to the network. The offline root CA can be restricted to issuing subordinate CA certificates, a process that can easily be manually done. Little maintenance is required, and you can limit the number of people who have contact with it.

The offline root CA, however, must be carefully prepared and installed, or additional CAs and the PKI may not function correctly. To correctly install a root CA, prepare the server and then perform the CA installation offline.

Server Preparation

The server should be prepared before installing certificate services. ...

Get Windows Server 2003 Security: A Technical Reference now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.