Based on the installation mode, the CAs can be divided into two types: the stand-alone CA and the enterprise CA. The best way to explain capabilities of both types is to compare them:
|
Feature |
Stand-alone CA |
Enterprise CA |
|
AD DS dependency |
Does not depend on AD DS, it can be installed on member server or standalone server in workgroup |
Only can be installed on member server |
|
Operate offline |
Can stay offline |
Cannot be offline |
|
Customized certificate templates |
Does not support, only supports standard templates |
Supported |
|
Supported enrollment methods |
Manual or web enrollment |
Auto, manual or web enrollment |
|
Certificate approval process |
Manual |
Manual or automatic based on the policy |
|
User input for the certificate fields |
Manual |
Retrieved from AD DS |
|
Certificate issuing and managing using AD DS |
N/A |
Supported |
Stand-alone CAs are mostly used as the root CA. In the previous section, I have explained how important a root CA security is. The stand-alone CA supports to keep the server offline and brings it online when it needs to issue a certificate or renew a certificate. Root CAs are only used to issue certificates to a subordinate CA. So, the manual processing and approval are manageable, as this task may only have to do it every few years. This type is also valid for public CAs. Issuing CAs are involved with day-to-day CA tasks such as issuing, managing, storing, renewing, and revoking certificates. Depending on the infrastructure size, there can be hundreds or thousands who use these issuing CAs. If the request and approval process is manual, it may take much manpower to maintain it. Therefore, in corporate networks, it is always recommended to use an enterprise CA type. Enterprise CAs allow engineers to create certificate templates with specific requirements and publish these via AD DS. End users can request the certificates based on these templates. Enterprise CAs are installed on Windows Server Enterprise Edition or the Datacenter Edition only.