Can we add a subordinate enterprise certificate authority linked to an existing enterprise Root certificate authority

dr23trik

1/16/24, 1:16 PM

The Root CA is domain joined. The Sub CA will be domain joined. The Sub CA will deliver workstation Authentification (template) to PC clients via GPO.

Is there any known issue with this configuration? Should the root CA be only standalone? I know the security recommendation for the root CA to be standalone but is there any operational issue if it's domain joined?

129

1 + 0

certificate

ssl-certificate

certificate-authority

ad-certificate-services

Score:0

Server

Massimo

1/16/24, 1:48 PM

Is there any known issue with this configuration?

No.

Should the root CA be only standalone?

This is not mandatory at all.

Is there any operational issue if it's domain joined?

If you have multiple AD-integrated CAs (regardless of their level in the PKI hierarchy), you will need to manage certificate templates, enrolling permissions and auto-enrollment policies so that users and computers get their certificates from the correct CA.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can we add a subordinate enterprise certificate authority linked to an existing enterprise Root certificate authority

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.