Need to implement a test CA from scratch?

In that case, check out the Test Lab Guide: Base Configuration documentation:

Comments (2)

  1. R.Sorensen says:

    If you are going to implement a 1-tier Enterprise CA, is it recomended to place the CA on a dedicated server, or just add it on a DC?

    In a small environment, is there any need to make it a 2- og 3-tier CA?

  2. Garry Trinder says:

    First thing you need to consider is what you're protecting and compare that with how much you want to invest in protecting it and what would be the cost of compromise.

    I.e. everything is relative to budget – but if at all possible you should try and avoid placing the CA server role on a DC – both because that's making the ADCS role dependant on the ADDS role and also because it makes it difficult to separate the CA manager role from the Domain Administrator role.

    From a strictly technical standpoint however there isn't a problem with the two roles co-existing on the same server.

    Same applies for how many tiers you go with – consider what you're protecting first.  The primary reason for having a 2-tier structure is that with a 1-tier structure you have no way of revoking the CA certificate in case of a compromise (this is also the reason why the Root CA in a 2+ tier structure is typically an Offline Root to safeguard it further).

Skip to main content