Re: W2K3 3-tier CA Implementation

From: Brian Komar [MVP] <bkomar@xxxxxxxxxxxxxxxxx>
Date: Fri, 10 Nov 2006 14:33:43 -0600

In article <D14753DD-2D3F-4828-ADF2-2A4AC1746CEC@xxxxxxxxxxxxx>,
EricS@xxxxxxxxxxxxxxxxxxxxxxxxx says...

I have been trying to follow all of the best practices and recommendations
for a W2K3 Enterprise CA solution. I have the Root installed, still online
for right now, and have been trying to get the Intermediate CA that will be
used for policies set up. I would like to follow Microsoftâ€=3Fs lead and use a
10 year, 2040 bit certificate. I have copied the Subordinate Certification
Authority template and increased it to 10 years, copied the new OID and
description from Intermediate Certification Authority and used both of them
in the CAPolicy.inf file in C:\WINDOWS, but I keep getting 2 year
certificates.

After resolving, I will need to create Issuing CA certificates from the
Policy CA that are 5 years and 2048 bits.

Thanks for ALL of the input.

You need to read the Best Practices whitepaper.... now....
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx

1. How do you intend to change an online CA to an offline CA?
2> Look for two commands:
certutil -setreg CA\ValidityPeriodUnits = 10
certutil -setreg CA\ValidityPeriod = "Years"
3. If you are following best practices, a three tiered CA hierarchy has
*standalone* CAs for the root and policy tier. (you have used an
enterprise root, which you can never disconnect from the network, as it
is a domain member... You do not use a certificate tempalte for the
subordinate CA unless you are creating a fourth tier (a tier subordinate
to an enterprise CA).

I recommend you tear it all down, read the whitepaper, follow the
whitepaper when rebuilding...
Sorry to be blunt, but you are going down the wrong path
Brian
.

Prev by Date: Re: If my computer is a single PC with ADSL connection, can I leave the password blank when I login the XP?
Next by Date: Re: Assign permissions to create other users to Users account
Previous by thread: Re: If my computer is a single PC with ADSL connection, can I leave the password blank when I login the XP?
Next by thread: Re: W2K3 3-tier CA Implementation
Index(es):
- Date
- Thread

Relevant Pages

Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
(microsoft.public.windows.server.security)
Re: How to determine Role on a installed CA?
... If you do you can be 100% sure you have Enterprise ... To see if it is subordinate or root, check your CA certificate... ...
(microsoft.public.windows.server.networking)
Re: W2K3 3-tier CA Implementation
... No matter what environment you are in, install a standalone ROOT CA. ... based on the standalone subordinate CA. ... I agree with issuing CAs being enterprise CAs. ... You do not use a certificate tempalte for the ...
(microsoft.public.security)
Re: Need advice for CA Model
... The root CA must be trusted on all the clients that will enroll to the ... certificates, each certificate must correspond to a user in AD with a UPN ... The enterprise CA automatically creates ... The second CA was a standalone ...
(microsoft.public.win2000.security)
Re: Schannel CertificateChainValidation failing
... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...
(microsoft.public.platformsdk.security)