For internal PKI, I'm a big fan of using Enterprise vs. Stand-alone, for simplicity and ease of management. The problem is, I just can't find definitive answers on how to properly offline it. Most people say to not bother, and their justifications are vague and nebulous. My Enterprise CAs are NOT DCs. I've given this a lot of thought, and these are the things I think need to be considered...
--------------------
If you take the Enterprise root CA offline, you'll need to consider three things:
1. Change the Enterprise root CA's CRL publication interval to be longer than the periods for which the Enterprise root CA will be offline, and also probably disable delta CRLs on the Enterprise root CA for simplicity and ease of management. When you do boot the Enterprise root CA, be sure to publish a new CRL from it into AD.
2. Make sure the Enterprise root CA isn't needed for anything but:
a. The initial, one-time loading of the root certificate into AD for automatic distribution to clients by ADDS.
b. Creating certificates for the subordinate/issuing CAs.
c. Publishing the Enterprise root CA's CRL to AD for reading by the clients.
Is there anything else the Enterprise root CA needs to be online for?
3. By default, every computer account password expires every 30 days. This won't be a problem because when you boot the Enterprise root CA, it'll just change its computer account password if it has expired.
--------------------
So, having said all of that, should I offline the Enterprise root CA? If not, why?