Re: Enterprise Root CA Install
From: Arlis Brown (ambrown@eyenm.com)
Date: 04/07/03
- Next message: Steven L Umbach: "Re: a refresher"
- Previous message: Annamarie Lee: "Content Advisor"
- In reply to: David Cross [MS]: "Re: Enterprise Root CA Install"
- Next in thread: David Cross [MS]: "Re: Enterprise Root CA Install"
- Reply: David Cross [MS]: "Re: Enterprise Root CA Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Arlis Brown" <ambrown@eyenm.com> Date: Mon, 7 Apr 2003 12:02:21 -0700
David,
Thank you for your input regarding the offline CA.
Yesterday, I tested the concept of creating a "standalone
root CA" based on a Technet article entitled "Deploying
the PKI". Within this article, details are provided on
installing certificate services to W2K member servers in a
standalone root CA configuration followed by
an "Enterprise subordinate CA" installation. The areas of
confusion encountered were:
1) Declaring the location of standalone Root CA's CRL and
CRT files. The article mentions the CRL and CRT files
must be manually copied to the "web server". Here I am
not sure if it is referring to the web server of the
standalone Root CA or possibly the Enterprise subordinate
CA. By default, the standalone root CA's policy
module/X.509 Extension settings location pointers
reference it's own web server. If it is to be
an "offline" root CA, how do you handle the location of
the CRL and CRT files?
2) Publishing the standalone Root CA's certificate to
Active Directory. Before installing the "Enterprise
subordinate CA", instructions are provided on how to
employ the "DSSTORE.EXE" utility to publish the root CA's
certificate to Active Directory. Here, I did not know
how to verify if the certificate was successfully
published to Active Directory. I checked the Domain Group
policy Computer Configuration -->Windows Settings --
>Security Settings -->Public Key Policies -->Trusted Root
Certification Authorities, but did not find any entries.
This one really bugs me since I am not sure if the
standalone Root CA is actually recognized in AD. Can I
verify from the standpoint of the "Enterprise subordinate
CA"?
Any insight on these issues will be greatly appreciated!
Thanks!
Arlis
>-----Original Message-----
>If you need a key length greater than 1024, you can use
the enhanced or
>strong CSP which are the same.
>
>I wanted to point out something that I should have
noticed before, you
>cannot take an enterprise CA offline. Enterprise CAs are
meant to be online
>and connected to AD at all times. If standalone parent
(root) CAs are taken
>offline, that is OK, but you must think about
periodically publishing a CRL,
>etc for this. very soon we will have a best practices
paper for windows
>server 2003 published on our web site.
>
>--
>
>
>David B. Cross [MS]
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>http://support.microsoft.com
>
>"Arlis Brown" <ambrown@eyenm.com> wrote in message
>news:059301c2fac8$0a1a8ab0$a401280a@phx.gbl...
>> All,
>>
>> Since input on the subject has been limited, I found an
>> article on the TechNet CDs entitled "Windows 2000
>> Certificate Services and Public Key Infrastructure".
>> Within, a comparison was provided between Microsoft's
base
>> CSP and the enhanced CSP. Furthermore, other .Net
>> articles on PKI recommend using the enhanced CSP for
>> stronger encryption. Can anybody provide any
information
>> on Microsoft's "Strong" CSP?
>>
>> Also, I wanted to know if a Enterprise Root CA has to
>> have a static IP Address. I've covered articles on CA
>> disaster recovery and many elude to allocating a static
IP
>> Address.
>>
>> Any input on the subject will be appreciated. Thanks!
>>
>> Arlis
>>
>> >-----Original Message-----
>> >1. No - it is recommended to use a member server.
>> >
>> >2. Mainly key size. The Base provider is just fine
for
>> most purposes.
>> >
>> >
>> >
>> >--
>> >
>> >David B. Cross [MS]
>> >
>> >--
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> >
>> >"Arlis Brown" <ambrown@eyenm.com> wrote in message
>> >news:074901c2f977$2344c890$3301280a@phx.gbl...
>> >> I'm planning on installing a W2K Adv Server
Enterprise
>> >> Root CA and have a couple of questions:
>> >>
>> >> 1) Does the Server have to be a domain controller?
Or,
>> >> is it sufficient that it have access to a DC? As
soon
>> as
>> >> I verify the installation and setup a subordinate
>> >> Enterprise CA, the root server will be taken off line
>> and
>> >> placed in storage. Therefore, I had reservations
about
>> >> promoting it to a DC.
>> >>
>> >> 2) High Encryption Pack - Currently installed on my
>> >> target server. I noted additional CSP's are now
>> available
>> >> and wanted advise on selecting something other
>> >> than "Microsoft Base Cryptographic Provider v1.0".
>> Other
>> >> options are "Microsoft Enhanced Cryptographic
Provider
>> >> v1.0" and "Microsoft Strong Cryptographic Provider".
>> What
>> >> are the pros and cons regarding deviating from the
>> >> default "Microsoft Base Cryptographic Provider v1.0"?
>> >>
>> >> I'll appreciate any feedback on this issue! Thanks!
>> >>
>> >> Arlis Brown, Network Manager
>> >> Eye Associates of NM, Ltd.
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: Steven L Umbach: "Re: a refresher"
- Previous message: Annamarie Lee: "Content Advisor"
- In reply to: David Cross [MS]: "Re: Enterprise Root CA Install"
- Next in thread: David Cross [MS]: "Re: Enterprise Root CA Install"
- Reply: David Cross [MS]: "Re: Enterprise Root CA Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
