Using Offline CAs
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Securing your CA hierarchy is a critical task. If an intruder can gain access to a CA, either physically or by means of the network, he or she might retrieve the private key of the CA and then impersonate the CA to gain access to valuable network resources. The compromise of even one CA key invalidates the security protection that it and any CAs below it in the hierarchy provide. For this reason, it is important to avoid connecting root CAs to the network.
To ensure the reliability of your CA infrastructure, specify that any non-issuing root and intermediate CAs must be offline. This minimizes the risk of the CA private keys becoming compromised. You can take a CA offline in any of the following ways:
By installing a CA on a stand-alone Windows 2000 or Windows Server 2003 and configuring it as a stand-alone CA.
By physically removing the computer from the network.
By shutting down the CA service.
By shutting down the computer.
Shutting down a CA computer prevents auditing from taking place. Therefore, if a CA computer is compromised, a hardware failure does not generate an audit notification.
- Shutting down a CA computer prevents auditing from taking place. Therefore, if a CA computer is compromised, a hardware failure does not generate an audit notification.
Make sure that you keep CAs in a secure area with limited access.
Installing an offline CA on a server that is a member of a domain can cause problems with a secure channel when you bring the CA back online after a long offline period. This is because the computer account password changes every 30 days. You can get around this by making offline CA computers members of a workgroup. Installing an offline CA as an enterprise CA can cause Active Directory to have problems updating when you disconnect the server from the network. Therefore, do not use an enterprise CA as a root CA.
Because they can operate offline, it is a good idea to use stand-alone CAs for root and intermediate CAs.
When a CA is supposed to be an offline CA, you can still publish its certificate and CRL in Active Directory. You must be sure to bring an offline CA online at regular intervals, based on your CRL publication schedule, to generate a new CRL for the CA. You must also bring the CA online to process certificate requests for subordinate CA certificates.
In general, the CRL and Authority Information Access (AIA) paths of an offline CA have to be modified before the first certificate is issued because the CRL and AIA paths, by default, point to the local http server and the local file system. Because the CA is offline and not accessible to other members of a network, the functionality of the CA must be separated from CRL and AIA distribution.
Because offline CAs process a small number of certificate requests at infrequent intervals, the administrative costs of maintaining offline CAs is low.
The client-side certificate validation process is not affected when a CA is offline because the client verifies the validity of the certificate by checking the certificate chain and the CRL. You cannot store both sources on the offline CA because clients need access to the CRL and AIA paths that are part of the certificate.
Taking a root CA offline does not reduce its importance, so be sure to use reliable hardware for offline root CAs. A hardware failure on an offline CA prevents you from publishing CRLs or issuing certificates to new subordinate CAs.