Re: Enterprise vs Standalone CA

From: Shreeniwas Kelkar [MS] (srkelkar@online.microsoft.com)
Date: 09/05/02 

From: "Shreeniwas Kelkar [MS]" <srkelkar@online.microsoft.com>
Date: Thu, 5 Sep 2002 14:03:14 -0700

I am not an expert in that area, but since any entity requesting
certificates from an Enterprise CA requires domain credentials to
authenticate, I would say yes. Intuitively it sounds like you need a machine
account rather than a user account. 

--
Shreeniwas Kelkar,
Microsoft Corp.
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
--
"Todd Geib" <toddgnospam@nospamperceptron.com> wrote in message
news:#IbnclRVCHA.4008@tkmsftngp11...
> Thank you very much for the in depth explanation.  I've now gone through
> and read the necessary document and it looks like Enterprise is the way
> to go for our organization.
>
> My question is this now:  If I have a hardware device (specifically a
> vpn concentrator) that needs to use a certificate and SCEP is either not
> an option or doesn't work, I will need to create a user in the AD that
> is specifically for that hardware device right?  If not, what are my
> options?
>
> Shreeniwas Kelkar [MS] wrote:
> > A decision between Stand Alone and Enterprise CAs is not just based on
one
> > feature or the other. They both are designed for different roles.
> >
> > The enterprise CAs work closely with the AD. By default, they
automatically
> > issue certs based on domain authentication (and thus usually only to
domain
> > users). They do not need to be supplied much information during a cert
> > request. They pull out most of the required information from the AD to
fill
> > in the cert.
> >
> > The standalone CAs are very simplified and do not usually interact with
the
> > AD. They expect users to supply all the information and depend on human
> > intervention (CA Administrator) for decisions of cert issuance, request
> > denial and other CA management tasks. They are generally used in limited
> > scenarios (e. g. root CAs).
> >
> > In a typical PKI deployment, a SA CA will be used as the root CA (quite
> > often offline) with a long life. It will issue only a handful of certs
in
> > its lifetime, most often only to other subordinate CAs. The second and
> > subsequent level subordinate CAs will typically be of Enterprise type.
The
> > bottom level CAs will issue the certs to users and machines in the
domain
> > working closely with the AD. They dispose of cert requests automatically
> > based off of information in the AD, though it is possible to put further
> > stringent requirements (e. g. administrator intervention) easily.
> >
> > To sum it up, before deploying PKI, a lot of different issues need to be
> > considered and the PKI needs to be carefully designed to fit your
> > requirements. The decision of number of CAs and CA types is based on
> > important considerations of trust and management rather that a simple
> > feature like AD integration or automatic request disposition. I strongly
> > suggest consulting documentation. Here's a starting point
> >
http://www.microsoft.com/windows2000/techinfo/planning/walkthroughs/default.
> > asp
> >
> > --
> > Shreeniwas Kelkar,
> > Microsoft Corp.
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> > Use of any included samples is subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm"
> > --
> > "Todd Geib" <toddgnospam@nospamperceptron.com> wrote in message
> > news:O5Pvu$4UCHA.2856@tkmsftngp11...
> >
> >>Our CA will used to produce certs to be used for IPSec, website, and
> >>email encryption.  It is the first CA in our organization.  We have are
> >>just beginning to deploy Active Directory.  Users will request certs
> >>from both our intranet and the internet.  I would like to be able to
> >>have an Administrator give consent when issueing certs.  I would also
> >>like this information to be published in the Active Directory.
> >>
> >>Based on these requirements, I'm not sure whether I should install
> >>certificate services as Enterprise or a Standalone.  Any suggestions /
> >>advice?
> >>
> >
> >
> >
>

Relevant Pages

  • Re: Enterprise vs Standalone CA
    ... > A decision between Stand Alone and Enterprise CAs is not just based on one ... > The enterprise CAs work closely with the AD. ... > issue certs based on domain authentication (and thus usually only to domain ... > intervention for decisions of cert issuance, request ...
    (microsoft.public.win2000.security)
  • Re: Enterprise vs Standalone CA
    ... The enterprise CAs work closely with the AD. ... issue certs based on domain authentication (and thus usually only to domain ... intervention for decisions of cert issuance, request ...
    (microsoft.public.win2000.security)
  • Certificate Services
    ... our Enterprise CA stopped working. ... create certs. ... This is the error I rec'd when I try to request a cert. ... Your certificate request was denied. ...
    (microsoft.public.win2000.general)
  • Re: 2003/R2 certificate server questions
    ... certificates, but I also want to be able to issue random certificates ... Make sure you are running on Enterprise Edition, ... integrated certs in particular. ... I can also uninstall the sub CA, revoke the cert, and reissue new ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise vs Standalone CA
    ... I have tried installing both ways and the only difference that I was ... able to tell is the enterprise wouldn't let me say "manually approve ... standalone because I wanted to manually approve all certs. ...
    (microsoft.public.win2000.security)