Re: Certificate Authorities ?
From: David Cross [MS] (vaq130@nospam.hotmail.com)
Date: 05/27/02
- Next message: Justin Troutman: "Re: Fixing RNG in Microsoft Windows?"
- Previous message: Kerry Hoskin: "Re: Former Install Encryption Cracking"
- In reply to: Jan Partanen: "Re: Certificate Authorities ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Cross [MS]" <vaq130@nospam.hotmail.com> Date: Mon, 27 May 2002 09:37:55 -0700
sorry, I was away on vacation
the registry key where the ACRS object on a DC will be is at:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ACRS
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
"Jan Partanen" <jan_partanen@hotmail.com> wrote in message
news:K85H8.5147$ws6.110380@news2.nokia.com...
> David,
>
> could you please clarify where the automatic certificate object resides
> (somewhere in the registry I suppose, but where?) on the DC? Is it
> documented somwhere? Also, what is the KB article you are referring to?
>
> Cheers,
> Jan
>
> "D. Cross [MS]" <vaq130@hotmail.com> wrote in message
> news:OEJ04aq2BHA.2724@tkmsftngp04...
> > By default domain controllers create their own automatic certificate
> request
> > objects. This can be blocked by removing the DC template from the CA -
or
> > their is a KB article on how to turn this off on the DCs.
> >
> > --
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > "John Gregory" <jgreg@hotmail.com> wrote in message
> > news:evaNy4n2BHA.2048@tkmsftngp05...
> > > Thanks for your reply.
> > > One more thing. The Enterprise Root CA has issued certificates to all
> the
> > > DC's in our test lab. This is not something that I have (knowingly)
> > > initiated.
> > > Can someone explain how this happened. I am not sure what these
> > certificates
> > > are for. The certifcates are issued to 'DomainName\servername$'.
> > > Am I missing something and what are the implications if I now remove
all
> > the
> > > templates I mentioned in the last message
> > > Thanks
> > >
> > >
> > >
> > >
> > > "D. Cross [MS]" <vaq130@hotmail.com> wrote in message
> > > news:uVFsZpY2BHA.2428@tkmsftngp07...
> > > > Yes, and of course good operational practices as well.
> > > >
> > > > --
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > "John Gregory" <jgreg@hotmail.com> wrote in message
> > > > news:##VmQVQ2BHA.2380@tkmsftngp04...
> > > > > Sorry, I meant to add, to do what I want, is it a question of
> deleting
> > > all
> > > > > the Policy Settings templates with the exception of the
Subordinate
> CA
> > > one
> > > > ?
> > > > > thanks
> > > > >
> > > > > "John Gregory" <jgreg@hotmail.com> wrote in message
> > > > > news:e$SvbMQ2BHA.1552@tkmsftngp05...
> > > > > > Hi
> > > > > > In our test lab, we have an AD domain with an Enterprise Root CA
> and
> > a
> > > > > > subordinate root CA.
> > > > > > In the various docs I have read (walkthroughs etc), they state
> that
> > is
> > > > it
> > > > > is
> > > > > > good security practice to limit the root CA to issuing
> certificates
> > to
> > > > > > subordinate CAs only.
> > > > > > Where can I actually configure this, I have had a good look
round
> > but
> > > > > can't
> > > > > > see anything obvious. Can anyone point me in the right
direction.
> > I'd
> > > > like
> > > > > > to have this sorted out before we go to our live environment.
> > > > > > Thanks for any help given
> > > > > > JR
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Justin Troutman: "Re: Fixing RNG in Microsoft Windows?"
- Previous message: Kerry Hoskin: "Re: Former Install Encryption Cracking"
- In reply to: Jan Partanen: "Re: Certificate Authorities ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
