Re: Enterprise Root CA Install
From: David Cross [MS] (dcross@online.microsoft.com)
Date: 04/05/03
- Next message: David Cross [MS]: "Re: Renew Certificate with Stand-alone CA"
- Previous message: c wise: "need to reset administrator password"
- In reply to: Arlis Brown: "Re: Enterprise Root CA Install"
- Next in thread: Arlis Brown: "Re: Enterprise Root CA Install"
- Reply: Arlis Brown: "Re: Enterprise Root CA Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Cross [MS]" <dcross@online.microsoft.com> Date: Fri, 4 Apr 2003 21:08:02 -0800
If you need a key length greater than 1024, you can use the enhanced or
strong CSP which are the same.
I wanted to point out something that I should have noticed before, you
cannot take an enterprise CA offline. Enterprise CAs are meant to be online
and connected to AD at all times. If standalone parent (root) CAs are taken
offline, that is OK, but you must think about periodically publishing a CRL,
etc for this. very soon we will have a best practices paper for windows
server 2003 published on our web site.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Arlis Brown" <ambrown@eyenm.com> wrote in message news:059301c2fac8$0a1a8ab0$a401280a@phx.gbl... > All, > > Since input on the subject has been limited, I found an > article on the TechNet CDs entitled "Windows 2000 > Certificate Services and Public Key Infrastructure". > Within, a comparison was provided between Microsoft's base > CSP and the enhanced CSP. Furthermore, other .Net > articles on PKI recommend using the enhanced CSP for > stronger encryption. Can anybody provide any information > on Microsoft's "Strong" CSP? > > Also, I wanted to know if a Enterprise Root CA has to > have a static IP Address. I've covered articles on CA > disaster recovery and many elude to allocating a static IP > Address. > > Any input on the subject will be appreciated. Thanks! > > Arlis > > >-----Original Message----- > >1. No - it is recommended to use a member server. > > > >2. Mainly key size. The Base provider is just fine for > most purposes. > > > > > > > >-- > > > >David B. Cross [MS] > > > >-- > >This posting is provided "AS IS" with no warranties, and > confers no rights. > > > >"Arlis Brown" <ambrown@eyenm.com> wrote in message > >news:074901c2f977$2344c890$3301280a@phx.gbl... > >> I'm planning on installing a W2K Adv Server Enterprise > >> Root CA and have a couple of questions: > >> > >> 1) Does the Server have to be a domain controller? Or, > >> is it sufficient that it have access to a DC? As soon > as > >> I verify the installation and setup a subordinate > >> Enterprise CA, the root server will be taken off line > and > >> placed in storage. Therefore, I had reservations about > >> promoting it to a DC. > >> > >> 2) High Encryption Pack - Currently installed on my > >> target server. I noted additional CSP's are now > available > >> and wanted advise on selecting something other > >> than "Microsoft Base Cryptographic Provider v1.0". > Other > >> options are "Microsoft Enhanced Cryptographic Provider > >> v1.0" and "Microsoft Strong Cryptographic Provider". > What > >> are the pros and cons regarding deviating from the > >> default "Microsoft Base Cryptographic Provider v1.0"? > >> > >> I'll appreciate any feedback on this issue! Thanks! > >> > >> Arlis Brown, Network Manager > >> Eye Associates of NM, Ltd. > >> > > > > > >. > >
- Next message: David Cross [MS]: "Re: Renew Certificate with Stand-alone CA"
- Previous message: c wise: "need to reset administrator password"
- In reply to: Arlis Brown: "Re: Enterprise Root CA Install"
- Next in thread: Arlis Brown: "Re: Enterprise Root CA Install"
- Reply: Arlis Brown: "Re: Enterprise Root CA Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
