Re: W2K3 3-tier CA Implementation
- From: Brian Komar [MVP] <bkomar@xxxxxxxxxxxxxxxxx>
- Date: Tue, 14 Nov 2006 07:46:15 -0600
Comments inline...
In article <D196E7B7-D3CD-4115-A748-D9548F186600@xxxxxxxxxxxxx>,
EricS@xxxxxxxxxxxxxxxxxxxxxxxxx says...
I read them ...NOW... three times and since they were not giving me, theFirst of all, I am not an employee of Microsoft (never have been). This
customer, the information I required, I was hoping for some polite help to
point me in the correct direction, not a demeaning and belittling comment
from a Microsoft Representative.
is just me providing free support to help users. Sorry, I cannot get how
many times you have read documents, but you seem to be not following the
recommendations that are out htere.
Just one more reason to look elsewhere from both a product and supportI can agree with this.
standpoint.
I got this from a Linx admin:
1. No matter what environment you are in, install a standalone ROOT CA.
2. No matter what environment you are in, install a standalone subordinate CAOnly if you are doing a three tiered hierarchy
3. No matter what environment you are in, install your issuing CA's asI agree with issuing CAs being enterprise CAs. I have no idea what the
enterprise subordinate CA's, this is where your Active Directory integration
happens, based on the standalone subordinate CA.
last part of the sentence means.
BTW, I cover a lot of this in my MSPress book. In fact a whole chapter
on implementation
.
"Brian Komar [MVP]" wrote:
In article <D14753DD-2D3F-4828-ADF2-2A4AC1746CEC@xxxxxxxxxxxxx>,
EricS@xxxxxxxxxxxxxxxxxxxxxxxxx says...
I have been trying to follow all of the best practices and recommendationsYou need to read the Best Practices whitepaper.... now....
for a W2K3 Enterprise CA solution. I have the Root installed, still online
for right now, and have been trying to get the Intermediate CA that will be
used for policies set up. I would like to follow Microsoftââ=3F¬=3Fs lead and use a
10 year, 2040 bit certificate. I have copied the Subordinate Certification
Authority template and increased it to 10 years, copied the new OID and
description from Intermediate Certification Authority and used both of them
in the CAPolicy.inf file in C:\WINDOWS, but I keep getting 2 year
certificates.
After resolving, I will need to create Issuing CA certificates from the
Policy CA that are 5 years and 2048 bits.
Thanks for ALL of the input.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx
1. How do you intend to change an online CA to an offline CA?
2> Look for two commands:
certutil -setreg CA\ValidityPeriodUnits = 10
certutil -setreg CA\ValidityPeriod = "Years"
3. If you are following best practices, a three tiered CA hierarchy has
*standalone* CAs for the root and policy tier. (you have used an
enterprise root, which you can never disconnect from the network, as it
is a domain member... You do not use a certificate tempalte for the
subordinate CA unless you are creating a fourth tier (a tier subordinate
to an enterprise CA).
- References:
- Re: W2K3 3-tier CA Implementation
- From: Brian Komar [MVP]
- Re: W2K3 3-tier CA Implementation
- Prev by Date: Re: pki - CRL questions
- Next by Date: Re: pki - CRL questions
- Previous by thread: Re: W2K3 3-tier CA Implementation
- Next by thread: Re: Cant open CMD/taskmanager
- Index(es):
Relevant Pages
|
