Re: Confused about CA deployment options

From: bhogan (bhogan@cox.net)
Date: 05/28/02 

From: "bhogan" <bhogan@cox.net>
Date: Tue, 28 May 2002 08:15:00 -0700

Thanks,
Choice one sounded ideal until I had found out they
charge per domain and in this case we may end up
registering 100-200 names eventually.
Choice 2 is the one I'm interested in but even at
Thawte's site I'm not clear on this option. Would it be
subordinate to a Thawte server? I didn't see this on
their site and may likely just be misinterpeting. Or can
I get one certifcate to setup a standalone CA?
Choice 3 it's mostly public addresses and no AD structure
in place.

>-----Original Message-----
>You have a number of options:
>
>1) Purchase a wilcard certificate for *.yy.zz
>2) Create a subordinate standalone CA for issuing
certificates for your
>servers. Thawte offers a sub-CA product, I think, as
well as Baltimore.
>Verisign insists on using their Onsite services in this
case
>3) If the servers are intranet-only, you can use self-
signed CA and
>distribute trusted root using AD policies
>
>Does it make any sense? You're welcome with further
questions
>
>Regards
>
>--
>Svyatoslav Pidgorny, MS MVP, MCSE
>-= F1 is the key =-
>
>"bhogan" <bhogan@cox.net> wrote in message
>news:799201c20365$679392a0$9ae62ecf@tkmsftngxa02...
>> I am trying to deploy SSL in a multiple domain
>> environment where my domains are varied where in
xx.yy.zz
>> the x. portion of the domain has many different values
>> based on each organization within the larger
>> organization. Than also the urls wil vary with services
>> offered so the URL looks like ww.xx.yy.zz. What is the
>> most efficient way to implement SSL in this
environment?
>> To complicate it further these are load balanced
servers
>> and each one may represent 30 of the above variations.
>> Can a single server host 30 different SSL urls (they
>> actually all end up at the same site but based on the
URL
>> they typed in they appear to have a branded site). If
the
>> cert only represents yy.zz which is the only constant,
>> than the client will likely get an error when
connecting
>> to ww.xx.yy.zz
>>
>> I planned on installing my own CA as a standalone root.
>> The problem here is then the clients don't
automatically
>> trust the CA. Can I use a third party certificate (i.e.
>> verisign) for the root of the CA only? If I do, will
the
>> clients automatically trust any certificates I then
>> generate based on the rot certificate? I know the
obvious
>> solution is to just purchase them al from a third party
>> but I have no budget to work with so it's time to be
>> creative.
>>
>
>
>.
>

Relevant Pages

  • Re: X509 and SSL
    ... When you enable SSL / HTTPS on a particular folder, ... If you need to authenticate your clients via signatures, ... >>> must i buy one certificate for sign response messages and one ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: SSL Certificate for three servers
    ... You were right it is SSL Bridging, ... It's good to hear that ISA 2004 will improve on things - I just hope it ... >> other Win2003 servers in the network behind the SBS ISA firewall. ... Now that I need to get a trusted SSL certificate for all ...
    (microsoft.public.windows.server.sbs)
  • Re: SSL Certificate for three servers
    ... The SSL cert goes on ISA and it comunicates with the ... > other Win2003 servers in the network behind the SBS ISA firewall. ... Now that I need to get a trusted SSL certificate for all ...
    (microsoft.public.windows.server.sbs)
  • SSL certificate and web farm -- How many certs do I need?
    ... I have a question about SSL certificates in relation to a ... each web server in a web farm. ... I know that you can export and import a certificate among ... one certificate and apply to all servers in the farm. ...
    (microsoft.public.inetserver.iis.security)
  • RE: SSL Reverse Proxy
    ... You can install the certificate on both servers. ... We already know the security implications of this approach. ...
    (Security-Basics)