Re: Certificate authorities and firewalls
From: krish shenoy[MS] (kshenoy@online.microsft.com)
Date: 11/11/02
- Next message: x y: "Auditing"
- Previous message: jmac: "ipsec between MS server and Cisco PIX"
- In reply to: Jennette Owen: "Certificate authorities and firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "krish shenoy[MS]" <kshenoy@online.microsft.com> Date: Mon, 11 Nov 2002 10:45:34 -0800
There are two things that need to be addressed.
1) Make the SA Root certificate and CRLs outside of the firewall
For this you need to modify the CRL Distribution point extension and the AIA
extension to include an externally accessible location where the CRLs and CA
certificate can be retrieved from. To do this you need to use the
CAPolicy.inf and edit the [CRLDistributionPoint] and
[AuthorityInformationAccess] sections
The following would be such a file
[Version]
Signature= "$Windows NT$"
[CRLDistributionPoint]
URL = http://%1/Public/My CA.crl
+ existing URLs
[AuthorityInformationAccess]
URL = http://%1/Public/My CA.crt
+ existing URLs
Now copy this CAPolicy.inf to %windir% on the SA root CA machine
Renew the SA Root CA certificate with a new key
This will create a new CA certificate with these two extensions.
If the firewall does not allow the SARootCA machine to publish to these two
locations then the files need to be manually copied to this location
Note: The CRLs would need to be copied periodically if the CA cannot publish
to the external location
2) To do this when you install the CA instead of submitting the request to
an online CA save the request to a file. Take the request
to the root in a floppy. Submit the request and retrieve the certificate
chain. Install the certificate chain on the workgroup machine
-- This posting is provided "AS IS" with no warranties and confers no rights. Use of any included samples is subject to the terms specified at http://www.microsoft.com/info/copyright.htm" "Jennette Owen" <jennette.owen@sts.siemens.com> wrote in message news:3f0901c28996$a74dd1f0$3aef2ecf@TKMSFTNGXA09... > Hi, > > I have a stand-alone root CA on my Windows 2000 domain. I > have a firewall which separates this domain from another > Windows 2000 server. This is in its own workgroup and not > part of the domain, and I want to install a subordinate CA > on the server. However, the installation fails because I > cannot see the root CA. Is there any way I can get this > to work without having to open up my firewall? Any advice > would be greatly appreciated. Thanks. > > > Jennette >
- Next message: x y: "Auditing"
- Previous message: jmac: "ipsec between MS server and Cisco PIX"
- In reply to: Jennette Owen: "Certificate authorities and firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
