The PKI server which ships with Windows, Active Directory Certificate Services lets you install it in four different modes. Before you install your CA servers you will want to know how these different types differ from each other so you can plan your setup to suite your needs.
You would use the stand alone Root CA in the scenario where you want to use an offline Root CA. Stand Alone in the context of the CA server means that is it not integrated with Active Directory. However information from the CA, such as CDP and AIA, could still be published to Active Directory. Typically the Stand Alone CA is a member of its own workgroup as opposed to being a member of a domain. It is disconnected from the network only accessible to the operators of the CA server. The only time anyone needs to interact with the server is when it is to sign subordinate CA certificates or when it publishes a new CRL. This can be done by transferring files on a USB stick.
Using an Enterprise Root CA is probably the easiest way you can setup a PKI system on Windows, with this scenario you only need one server and you don’t have to think about subordinate CA servers and certificate chaining. Enterprise in the context of the CA server means that it is integrated with Active Directory. An Enterprise CA can be used to autoenroll certificates in an Active Directory environment.
The downside of this setup is that the Root CA server can’t be offline, making it more vulnerable to attack.
A Stand Alone Issuing CA means that the CA server is a subordinate CA server and it has gotten its CA certificate signed by another CA server. Stand Alone means that the CA server isn’t integrated with Active Directory, though the CA server can be a member of an Active Directory domain. Typically this type is used when the CA server won’t be issuing certificates to objects in an Active Directory domain, or if you are using an offline policy CA server if you have a three tier PKI hierarchy.
An Enterprise Issuing CA is a member of an Active Directory domain and is integrated to Active Directory. User and computer accounts can enroll or autoenroll for certificates from this CA. The CA server provides the same functionality as an Enterprise Root CA server, but the Enterprise Issuing CA is a subordinate CA server.
One thing which can be easy to mix up when it comes to certification authorities in Windows is that some wise guy at Microsoft decided to use the term Enterprise to describe two different things. Windows Server comes in different versions i.e. Web, Standard, Enterprise and Data Center. You can install the Active Directory Certificate Services as a Stand Alone or an Enterprise Server.
In my opinion the Enterprise Root CA type should instead have be called something in the lines of Integrated Root CA or Active Directory Root CA server. The reason this is important is that the functionality of the CA server will depend on which version of Windows you are using.
Windows Web edition doesn’t provide any CA functionality. Standard, Enterprise and Data Center does, however the Standard edition is limited. Unlike the other versions the Standard edition of a Windows CA server doesn’t provide support for Network Device Enrollment Service or SCEP. Also OCSP isn’t supported. Version 2 or 3 certificate templates aren’t supported so you won’t be able to create your own certificate templates and autoenroll certificates from those templates. Further key archival, role separation, certificate manager restrictions and delegated enrollment restrictions won’t function on a CA server which uses a Standard version of Windows.
So if you can you should use an Enterprise or Data Center version of Windows for your Enterprise CA servers. For the Offline Root CA server Windows Standard edition should suit your needs.
This post is part of the Getting Started with Public Key Infrastructure series.