The Install and Configure Offline Root CA module provides you with the instruction and server hardware to develop your hands-on skills in the defined topics. This module includes the following exercises:
- Deploy Stand-alone CA
- Configure an Enterprise Subordinate CA
Lab time: It will take approximately 1 hour to complete this lab.
The following exam objectives are covered in this lab:
- Install stand-alone CAs
- Configure Certificate Revocation List (CRL) distribution points and Authority Information Access (AIA)
- Install and configure enterprise subordinate CA
Exercise 1 - Deploy Stand-alone CA
A stand-alone root certification authority (CA) is another variant of certification authority server that can be installed in a network. Unlike an Enterprise Root CA, a stand-alone CA does not require the use Active Directory Domain Services (AD DS) to create a certificate trust chain between a parent and subordinate CA.
Organizations that implement restrictive network security policies have the option of installing stand-alone CA that can be configured as an offline trusted root CA by simply disconnecting it from the network or putting it in an isolated network segment. A stand-alone CA is the starting point of certificate issuance in an organization and therefore must be protected from unauthorized personnel.
In this exercise, you will install and configure a stand-alone CA on one of the servers in the existing Active Directory domain called PRACTICELABS.COM.
Exercise 2 - Configure an Enterprise Subordinate CA
For corporate networks with restrictive security policies, the separation of roles of the root CA and issuing CA can be achieved by deploying subordinate CAs. The root CA is typically taken offline and is not accessible from the external network.
Under the stand-alone root CA server, an enterprise subordinate CA server is usually configured. Initially, the enterprise subordinate CA generates a certificate request file (.req) which is later submitted to stand-alone root CA for approval. Upon approval of the certificate request, the certificate is manually added to the subordinate CA.
The relationship between a stand-alone root CA and enterprise subordinate CA when successfully established, is considered a two-tier CA hierarchy. The stand-alone root CA grants the enterprise subordinate CA the authority to issue certificates to requesting clients within the internal network or the Internet.
See the full benefits of our immersive learning experience with interactive courses and guided career paths.