Re: Enterprise vs Standalone CA

From: Todd Geib (toddgnospam@nospamperceptron.com)
Date: 09/05/02 

Date: Thu, 05 Sep 2002 16:19:04 -0400
From: Todd Geib <toddgnospam@nospamperceptron.com>

Thank you very much for the in depth explanation. I've now gone through
and read the necessary document and it looks like Enterprise is the way
to go for our organization.

My question is this now: If I have a hardware device (specifically a
vpn concentrator) that needs to use a certificate and SCEP is either not
an option or doesn't work, I will need to create a user in the AD that
is specifically for that hardware device right? If not, what are my
options?

Shreeniwas Kelkar [MS] wrote:
> A decision between Stand Alone and Enterprise CAs is not just based on one
> feature or the other. They both are designed for different roles.
>
> The enterprise CAs work closely with the AD. By default, they automatically
> issue certs based on domain authentication (and thus usually only to domain
> users). They do not need to be supplied much information during a cert
> request. They pull out most of the required information from the AD to fill
> in the cert.
>
> The standalone CAs are very simplified and do not usually interact with the
> AD. They expect users to supply all the information and depend on human
> intervention (CA Administrator) for decisions of cert issuance, request
> denial and other CA management tasks. They are generally used in limited
> scenarios (e. g. root CAs).
>
> In a typical PKI deployment, a SA CA will be used as the root CA (quite
> often offline) with a long life. It will issue only a handful of certs in
> its lifetime, most often only to other subordinate CAs. The second and
> subsequent level subordinate CAs will typically be of Enterprise type. The
> bottom level CAs will issue the certs to users and machines in the domain
> working closely with the AD. They dispose of cert requests automatically
> based off of information in the AD, though it is possible to put further
> stringent requirements (e. g. administrator intervention) easily.
>
> To sum it up, before deploying PKI, a lot of different issues need to be
> considered and the PKI needs to be carefully designed to fit your
> requirements. The decision of number of CAs and CA types is based on
> important considerations of trust and management rather that a simple
> feature like AD integration or automatic request disposition. I strongly
> suggest consulting documentation. Here's a starting point
> http://www.microsoft.com/windows2000/techinfo/planning/walkthroughs/default.
> asp
>
> --
> Shreeniwas Kelkar,
> Microsoft Corp.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of any included samples is subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm"
> --
> "Todd Geib" <toddgnospam@nospamperceptron.com> wrote in message
> news:O5Pvu$4UCHA.2856@tkmsftngp11...
>
>>Our CA will used to produce certs to be used for IPSec, website, and
>>email encryption. It is the first CA in our organization. We have are
>>just beginning to deploy Active Directory. Users will request certs
>>from both our intranet and the internet. I would like to be able to
>>have an Administrator give consent when issueing certs. I would also
>>like this information to be published in the Active Directory.
>>
>>Based on these requirements, I'm not sure whether I should install
>>certificate services as Enterprise or a Standalone. Any suggestions /
>>advice?
>>
>
>
>

Relevant Pages

  • Re: Enterprise vs Standalone CA
    ... > and read the necessary document and it looks like Enterprise is the way ... >> The enterprise CAs work closely with the AD. ... >> intervention for decisions of cert issuance, request ... It will issue only a handful of certs ...
    (microsoft.public.win2000.security)
  • Re: Enterprise vs Standalone CA
    ... The enterprise CAs work closely with the AD. ... issue certs based on domain authentication (and thus usually only to domain ... intervention for decisions of cert issuance, request ...
    (microsoft.public.win2000.security)
  • Certificate Services
    ... our Enterprise CA stopped working. ... create certs. ... This is the error I rec'd when I try to request a cert. ... Your certificate request was denied. ...
    (microsoft.public.win2000.general)
  • Re: 2003/R2 certificate server questions
    ... certificates, but I also want to be able to issue random certificates ... Make sure you are running on Enterprise Edition, ... integrated certs in particular. ... I can also uninstall the sub CA, revoke the cert, and reissue new ...
    (microsoft.public.windows.server.security)
  • Re: Difference between Certificate Authorities
    ... Means that ALL CAs in the hierarchy chain are important. ... some level of importance to those CAs I would say that the most important CA is the ROOT CA then Subordinate then the Issuing CA. ... If my Enterprise Root is crashed then certificate issue by Enterprise root CA will be served by Enterprise Sub Ordinate CA. ... Root CAs are in the top of the hierarchy, bellow that CA you can have a hierarchal structure of many subordinate/issuing CAs that perform specific certificate related jobs. ...
    (microsoft.public.windows.server.active_directory)