Re: Enterprise Root CA Install
From: David Cross [MS] (dcross@online.microsoft.com)
Date: 04/09/03
- Next message: Dave: "lost SID"
- Previous message: David Cross [MS]: "Re: SSL client certificate authentication"
- In reply to: Arlis Brown: "Re: Enterprise Root CA Install"
- Next in thread: Arlis Brown: "Re: Enterprise Root CA Install"
- Reply: Arlis Brown: "Re: Enterprise Root CA Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Cross [MS]" <dcross@online.microsoft.com> Date: Wed, 9 Apr 2003 05:31:26 -0700
1. It can be any web server location that is publicly accessible. The
offline root should be off the network and the CRL should be periodically
copied from the offline root to a an online location specified in the CDP
extension that machines can access to validate the subCA cert when building
chains.
2. If this step was not successful, the subCA won't start and clients won't
be able to enroll for certs.
If you have access to the Windows Server 2003 administration tools pack, you
will find much more powerful tools like certutil.exe that can be used to
verify and published trusted roots, etc.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Arlis Brown" <ambrown@eyenm.com> wrote in message news:015e01c2fd38$37d7a330$a301280a@phx.gbl... > David, > > Thank you for your input regarding the offline CA. > Yesterday, I tested the concept of creating a "standalone > root CA" based on a Technet article entitled "Deploying > the PKI". Within this article, details are provided on > installing certificate services to W2K member servers in a > standalone root CA configuration followed by > an "Enterprise subordinate CA" installation. The areas of > confusion encountered were: > > 1) Declaring the location of standalone Root CA's CRL and > CRT files. The article mentions the CRL and CRT files > must be manually copied to the "web server". Here I am > not sure if it is referring to the web server of the > standalone Root CA or possibly the Enterprise subordinate > CA. By default, the standalone root CA's policy > module/X.509 Extension settings location pointers > reference it's own web server. If it is to be > an "offline" root CA, how do you handle the location of > the CRL and CRT files? > > 2) Publishing the standalone Root CA's certificate to > Active Directory. Before installing the "Enterprise > subordinate CA", instructions are provided on how to > employ the "DSSTORE.EXE" utility to publish the root CA's > certificate to Active Directory. Here, I did not know > how to verify if the certificate was successfully > published to Active Directory. I checked the Domain Group > policy Computer Configuration -->Windows Settings -- > >Security Settings -->Public Key Policies -->Trusted Root > Certification Authorities, but did not find any entries. > This one really bugs me since I am not sure if the > standalone Root CA is actually recognized in AD. Can I > verify from the standpoint of the "Enterprise subordinate > CA"? > > Any insight on these issues will be greatly appreciated! > Thanks! > > Arlis > > > >-----Original Message----- > >If you need a key length greater than 1024, you can use > the enhanced or > >strong CSP which are the same. > > > >I wanted to point out something that I should have > noticed before, you > >cannot take an enterprise CA offline. Enterprise CAs are > meant to be online > >and connected to AD at all times. If standalone parent > (root) CAs are taken > >offline, that is OK, but you must think about > periodically publishing a CRL, > >etc for this. very soon we will have a best practices > paper for windows > >server 2003 published on our web site. > > > >-- > > > > > >David B. Cross [MS] > > > >-- > >This posting is provided "AS IS" with no warranties, and > confers no rights. > > > >http://support.microsoft.com > > > >"Arlis Brown" <ambrown@eyenm.com> wrote in message > >news:059301c2fac8$0a1a8ab0$a401280a@phx.gbl... > >> All, > >> > >> Since input on the subject has been limited, I found an > >> article on the TechNet CDs entitled "Windows 2000 > >> Certificate Services and Public Key Infrastructure". > >> Within, a comparison was provided between Microsoft's > base > >> CSP and the enhanced CSP. Furthermore, other .Net > >> articles on PKI recommend using the enhanced CSP for > >> stronger encryption. Can anybody provide any > information > >> on Microsoft's "Strong" CSP? > >> > >> Also, I wanted to know if a Enterprise Root CA has to > >> have a static IP Address. I've covered articles on CA > >> disaster recovery and many elude to allocating a static > IP > >> Address. > >> > >> Any input on the subject will be appreciated. Thanks! > >> > >> Arlis > >> > >> >-----Original Message----- > >> >1. No - it is recommended to use a member server. > >> > > >> >2. Mainly key size. The Base provider is just fine > for > >> most purposes. > >> > > >> > > >> > > >> >-- > >> > > >> >David B. Cross [MS] > >> > > >> >-- > >> >This posting is provided "AS IS" with no warranties, > and > >> confers no rights. > >> > > >> >"Arlis Brown" <ambrown@eyenm.com> wrote in message > >> >news:074901c2f977$2344c890$3301280a@phx.gbl... > >> >> I'm planning on installing a W2K Adv Server > Enterprise > >> >> Root CA and have a couple of questions: > >> >> > >> >> 1) Does the Server have to be a domain controller? > Or, > >> >> is it sufficient that it have access to a DC? As > soon > >> as > >> >> I verify the installation and setup a subordinate > >> >> Enterprise CA, the root server will be taken off line > >> and > >> >> placed in storage. Therefore, I had reservations > about > >> >> promoting it to a DC. > >> >> > >> >> 2) High Encryption Pack - Currently installed on my > >> >> target server. I noted additional CSP's are now > >> available > >> >> and wanted advise on selecting something other > >> >> than "Microsoft Base Cryptographic Provider v1.0". > >> Other > >> >> options are "Microsoft Enhanced Cryptographic > Provider > >> >> v1.0" and "Microsoft Strong Cryptographic Provider". > >> What > >> >> are the pros and cons regarding deviating from the > >> >> default "Microsoft Base Cryptographic Provider v1.0"? > >> >> > >> >> I'll appreciate any feedback on this issue! Thanks! > >> >> > >> >> Arlis Brown, Network Manager > >> >> Eye Associates of NM, Ltd. > >> >> > >> > > >> > > >> >. > >> > > > > > > >. > >
- Next message: Dave: "lost SID"
- Previous message: David Cross [MS]: "Re: SSL client certificate authentication"
- In reply to: Arlis Brown: "Re: Enterprise Root CA Install"
- Next in thread: Arlis Brown: "Re: Enterprise Root CA Install"
- Reply: Arlis Brown: "Re: Enterprise Root CA Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
