Best Practices for Deploying Certificate Authority Infrastructure

Jean Hsi
Best Practices for Deploying Certificate Authority Infrastructure


When building a Public Key Infrastructure (PKI), correctly setting up your Certification Authority (CA) environment is essential for maintaining long-term security and functionality. Unfortunately, we often see companies misconfigure their CA setup, which can lead to major headaches down the road. This blog post will walk you through best practices for deploying a secure and reliable CA infrastructure in a Windows environment.

🔑 CA Infrastructure Basics

At a minimum, a proper CA setup should include two servers:

  1. Root CA (Certification Authority)

  2. Subordinate CA (also known as Intermediate CA)

The Root CA holds the root private key and is used to create and sign the Subordinate CA. The Subordinate CA is responsible for actually issuing certificates to users, computers, or services.

🛑 Standalone vs. Enterprise CA: Why It Matters

Windows supports two types of CA servers:

  • Standalone CA: Not joined to Active Directory

  • Enterprise CA: Joined to Active Directory

Best Practice:

  • Make your Root CA a Standalone CA

    • This CA should not be joined to the domain.

    • It should only be powered on long enough to issue the Subordinate CA certificate, then shut down and kept offline.

    • This protects your entire PKI from compromise if the root private key is exposed.

  • Make your Subordinate CA an Enterprise CA

    • This CA should be domain-joined.

    • It handles daily certificate issuance and renewal tasks.

    • Integration with Active Directory simplifies certificate management for users and systems.

⚠️ What Can Go Wrong?

If you accidentally set up a Root CA as an Enterprise CA, you’re inviting trouble. Here’s why:

  • After 180 days of inactivity, the Root CA’s computer account in Active Directory will tombstone (be marked for deletion).

  • Once this happens, the server can no longer authenticate with AD.

  • If you try to unjoin and rejoin the domain as a fix, you may catastrophically break your CA infrastructure, requiring manual repair using ADSIEdit and other advanced tools.

✅ Summary of Best Practices

Component Type Domain-Joined? Status After Setup
Root CA Standalone No Shut down and offline
Subordinate CA Enterprise Yes Online and operational

Keeping the Root CA offline ensures that if a breach occurs, your root certificate remains secure. Only the Subordinate CA remains active in your environment, dramatically reducing risk.

🧰 Need Help?

Setting up a CA infrastructure the right way can be tricky—and if it’s done wrong, cleanup can be time-consuming and tedious. If your organization needs help designing or fixing a Certification Authority environment, ADS Consulting Group is here to help.

📩 Email us at info@adscon.com to get started.

Tip of the Week from ADS Consulting Group
🔔 Subscribe to our YouTube channel for weekly IT insights and cybersecurity tips.

Don’t make a big boo-boo—plan your CA setup right the first time!

Get updated on the latest Information Technology news, Cybersecurity, Information Technology Trends, and recent real-world troubleshooting experiences.

SUBSCRIBE NOW!