Re: Enterprise Root CA Install

From: Arlis Brown (ambrown@eyenm.com)
Date: 04/09/03 

From: "Arlis Brown" <ambrown@eyenm.com>
Date: Wed, 9 Apr 2003 14:33:53 -0700

David,

Thanks for the feedback, it is greatly appreciated! I
wanted to share a knowledge base article that really
clarifed how to go about creating a distribution point for
the CRL and publishing the offline CA's certificate to
active directory. Check out article #271386.

The only item left uncovered is verifying whether the CRL
and CRT files were successfully published to AD. I
conducted test in an offline lab but still could not
verify if the publication was successful. I'll
give "Certutil.exe" a try (Thanks for the tip). If you
have additional insight on this topic, please share it.

Arlis

>-----Original Message-----
>1. It can be any web server location that is publicly
accessible. The
>offline root should be off the network and the CRL should
be periodically
>copied from the offline root to a an online location
specified in the CDP
>extension that machines can access to validate the subCA
cert when building
>chains.
>
>2. If this step was not successful, the subCA won't
start and clients won't
>be able to enroll for certs.
>
>If you have access to the Windows Server 2003
administration tools pack, you
>will find much more powerful tools like certutil.exe that
can be used to
>verify and published trusted roots, etc.
>
>--
>
>
>David B. Cross [MS]
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>http://support.microsoft.com
>
>"Arlis Brown" <ambrown@eyenm.com> wrote in message
>news:015e01c2fd38$37d7a330$a301280a@phx.gbl...
>> David,
>>
>> Thank you for your input regarding the offline CA.
>> Yesterday, I tested the concept of creating
a "standalone
>> root CA" based on a Technet article entitled "Deploying
>> the PKI". Within this article, details are provided on
>> installing certificate services to W2K member servers
in a
>> standalone root CA configuration followed by
>> an "Enterprise subordinate CA" installation. The areas
of
>> confusion encountered were:
>>
>> 1) Declaring the location of standalone Root CA's CRL
and
>> CRT files. The article mentions the CRL and CRT files
>> must be manually copied to the "web server". Here I am
>> not sure if it is referring to the web server of the
>> standalone Root CA or possibly the Enterprise
subordinate
>> CA. By default, the standalone root CA's policy
>> module/X.509 Extension settings location pointers
>> reference it's own web server. If it is to be
>> an "offline" root CA, how do you handle the location of
>> the CRL and CRT files?
>>
>> 2) Publishing the standalone Root CA's certificate to
>> Active Directory. Before installing the "Enterprise
>> subordinate CA", instructions are provided on how to
>> employ the "DSSTORE.EXE" utility to publish the root
CA's
>> certificate to Active Directory. Here, I did not know
>> how to verify if the certificate was successfully
>> published to Active Directory. I checked the Domain
Group
>> policy Computer Configuration -->Windows Settings --
>> >Security Settings -->Public Key Policies -->Trusted
Root
>> Certification Authorities, but did not find any entries.
>> This one really bugs me since I am not sure if the
>> standalone Root CA is actually recognized in AD. Can I
>> verify from the standpoint of the "Enterprise
subordinate
>> CA"?
>>
>> Any insight on these issues will be greatly appreciated!
>> Thanks!
>>
>> Arlis
>>
>>
>> >-----Original Message-----
>> >If you need a key length greater than 1024, you can use
>> the enhanced or
>> >strong CSP which are the same.
>> >
>> >I wanted to point out something that I should have
>> noticed before, you
>> >cannot take an enterprise CA offline. Enterprise CAs
are
>> meant to be online
>> >and connected to AD at all times. If standalone parent
>> (root) CAs are taken
>> >offline, that is OK, but you must think about
>> periodically publishing a CRL,
>> >etc for this. very soon we will have a best practices
>> paper for windows
>> >server 2003 published on our web site.
>> >
>> >--
>> >
>> >
>> >David B. Cross [MS]
>> >
>> >--
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> >
>> >http://support.microsoft.com
>> >
>> >"Arlis Brown" <ambrown@eyenm.com> wrote in message
>> >news:059301c2fac8$0a1a8ab0$a401280a@phx.gbl...
>> >> All,
>> >>
>> >> Since input on the subject has been limited, I found
an
>> >> article on the TechNet CDs entitled "Windows 2000
>> >> Certificate Services and Public Key Infrastructure".
>> >> Within, a comparison was provided between Microsoft's
>> base
>> >> CSP and the enhanced CSP. Furthermore, other .Net
>> >> articles on PKI recommend using the enhanced CSP for
>> >> stronger encryption. Can anybody provide any
>> information
>> >> on Microsoft's "Strong" CSP?
>> >>
>> >> Also, I wanted to know if a Enterprise Root CA has
to
>> >> have a static IP Address. I've covered articles on
CA
>> >> disaster recovery and many elude to allocating a
static
>> IP
>> >> Address.
>> >>
>> >> Any input on the subject will be appreciated.
Thanks!
>> >>
>> >> Arlis
>> >>
>> >> >-----Original Message-----
>> >> >1. No - it is recommended to use a member server.
>> >> >
>> >> >2. Mainly key size. The Base provider is just fine
>> for
>> >> most purposes.
>> >> >
>> >> >
>> >> >
>> >> >--
>> >> >
>> >> >David B. Cross [MS]
>> >> >
>> >> >--
>> >> >This posting is provided "AS IS" with no warranties,
>> and
>> >> confers no rights.
>> >> >
>> >> >"Arlis Brown" <ambrown@eyenm.com> wrote in message
>> >> >news:074901c2f977$2344c890$3301280a@phx.gbl...
>> >> >> I'm planning on installing a W2K Adv Server
>> Enterprise
>> >> >> Root CA and have a couple of questions:
>> >> >>
>> >> >> 1) Does the Server have to be a domain
controller?
>> Or,
>> >> >> is it sufficient that it have access to a DC? As
>> soon
>> >> as
>> >> >> I verify the installation and setup a subordinate
>> >> >> Enterprise CA, the root server will be taken off
line
>> >> and
>> >> >> placed in storage. Therefore, I had reservations
>> about
>> >> >> promoting it to a DC.
>> >> >>
>> >> >> 2) High Encryption Pack - Currently installed on
my
>> >> >> target server. I noted additional CSP's are now
>> >> available
>> >> >> and wanted advise on selecting something other
>> >> >> than "Microsoft Base Cryptographic Provider v1.0".
>> >> Other
>> >> >> options are "Microsoft Enhanced Cryptographic
>> Provider
>> >> >> v1.0" and "Microsoft Strong Cryptographic
Provider".
>> >> What
>> >> >> are the pros and cons regarding deviating from the
>> >> >> default "Microsoft Base Cryptographic Provider
v1.0"?
>> >> >>
>> >> >> I'll appreciate any feedback on this issue!
Thanks!
>> >> >>
>> >> >> Arlis Brown, Network Manager
>> >> >> Eye Associates of NM, Ltd.
>> >> >>
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages