Stand-alone Root Certificate Authority (CA)
The root Certificate Authority (CA) is the most important Certificate Authority (CA) and it is the first Certificate Authority (CA) in a Public Key Infrastructure (PKI).
Only one Certificate Authority (CA) can authorize itself, and it is the Root Certificate Authority (CA). The importance of the Root Certificate Authority (CA) is that only the Root Certificate Authority (CA) can issue a certificate to itself.
The subordinate Certificate Authorities (CAs) should be authorized by the Root Certificate Authority (CA). The Root Certificate Authority (CA) can issue certificates to Subordinate Certificate Authorities (CAs) and Subordinate Certificate Authorities (CAs) are then used to issue certificates to users, computers etc.
In a secure Certificate Authority (CA) hierarchy, the Root Certificate Authority (CA) should be an offline (out of the network) stand-alone Root Certificate Authority (CA). The possibility of compromising the Public Key Infrastructure (PKI) by hacking the private key of the Root Certificate Authority (CA) can be avoided to a great extent when the Root Certificate Authority (CA) is kept offline (out of the network). The offline root can be used only to issue CA certificates to its subordinate CAs.
We need to install the Root Certificate Authority (CA) as Standalone Certificate Authority (CA), because we need to make sure the Root Certificate Authority (CA) is offline and secured. The Root Certificate Authority (CA) cannot have network connections and cannot be linked to any domain. If the Root Certificate Authority (CA) is a member server in a domain, it may lose its trust relationship with the domain. The offline Root Certificate Authority (CA) cannot be a domain controller also, because domain controllers cannot be taken off the network indefinitely.
The prerequisites for installing a stand-alone offline root CA is listed below.
• The stand-alone offline Root Certificate Authority (CA) should not be a member of any domain or a domain controller.
• The computer name for the stand-alone offline Root Certificate Authority (CA) must be unique for the entire forest.
• A certificate revocation list (CRL) must be published. The CRL distribution point (CDP) must be accessible to users on the network and it should be included in the certificate.
• The Authority Information Access (AIA) distribution point needs to be configured for other CAs to verify the Certificate Authority (CA) chain.
• IIS (Internet Information Services) should be configured on the Certificate Authority (CA) server.