Re: Confused about CA deployment options
From: bhogan (bhogan@cox.net)
Date: 05/28/02
- Next message: Michelle: "hfnetchk tool"
- Previous message: Lanwench: "Re: bypassing security on win NT"
- In reply to: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
- Next in thread: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
- Reply: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "bhogan" <bhogan@cox.net> Date: Tue, 28 May 2002 08:15:00 -0700
Thanks,
Choice one sounded ideal until I had found out they
charge per domain and in this case we may end up
registering 100-200 names eventually.
Choice 2 is the one I'm interested in but even at
Thawte's site I'm not clear on this option. Would it be
subordinate to a Thawte server? I didn't see this on
their site and may likely just be misinterpeting. Or can
I get one certifcate to setup a standalone CA?
Choice 3 it's mostly public addresses and no AD structure
in place.
>-----Original Message-----
>You have a number of options:
>
>1) Purchase a wilcard certificate for *.yy.zz
>2) Create a subordinate standalone CA for issuing
certificates for your
>servers. Thawte offers a sub-CA product, I think, as
well as Baltimore.
>Verisign insists on using their Onsite services in this
case
>3) If the servers are intranet-only, you can use self-
signed CA and
>distribute trusted root using AD policies
>
>Does it make any sense? You're welcome with further
questions
>
>Regards
>
>--
>Svyatoslav Pidgorny, MS MVP, MCSE
>-= F1 is the key =-
>
>"bhogan" <bhogan@cox.net> wrote in message
>news:799201c20365$679392a0$9ae62ecf@tkmsftngxa02...
>> I am trying to deploy SSL in a multiple domain
>> environment where my domains are varied where in
xx.yy.zz
>> the x. portion of the domain has many different values
>> based on each organization within the larger
>> organization. Than also the urls wil vary with services
>> offered so the URL looks like ww.xx.yy.zz. What is the
>> most efficient way to implement SSL in this
environment?
>> To complicate it further these are load balanced
servers
>> and each one may represent 30 of the above variations.
>> Can a single server host 30 different SSL urls (they
>> actually all end up at the same site but based on the
URL
>> they typed in they appear to have a branded site). If
the
>> cert only represents yy.zz which is the only constant,
>> than the client will likely get an error when
connecting
>> to ww.xx.yy.zz
>>
>> I planned on installing my own CA as a standalone root.
>> The problem here is then the clients don't
automatically
>> trust the CA. Can I use a third party certificate (i.e.
>> verisign) for the root of the CA only? If I do, will
the
>> clients automatically trust any certificates I then
>> generate based on the rot certificate? I know the
obvious
>> solution is to just purchase them al from a third party
>> but I have no budget to work with so it's time to be
>> creative.
>>
>
>
>.
>
- Next message: Michelle: "hfnetchk tool"
- Previous message: Lanwench: "Re: bypassing security on win NT"
- In reply to: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
- Next in thread: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
- Reply: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
