Hi,
we plan to implement a internal Class 3-ADCS-PKI with a Root CA and a Issuing CA on Windows Server 2008 R2. The Root CA-Server will online all the time. A Offline-Root-CA is no option. To protect the operations on the Root CA like create CRL or issuing a request for a new Issuing CA, we want to outsource the private key of the Root-CA-Certificate on a USB Token. The USB Token will stored on a secure location and used only for signing operations like creation of CRL or issuing requests.
If we export the private key onto the USB Token, delete the local stored private key on the Root-CA-Server and disconnect the USB Token, we got a error message during restarting the CA-Service:
Event ID 100 (CertificationAuthority)
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Root CA Class 3 Object was not found. 0x80090011 (-2146893807).
Is it possible to start the ADCS CA Service without the private key of the CA certificate is available and the CRL isn't outdated ?
Thanks for your help.
Faithfully,
Ewoki