Need advice for CA Model

From: John McCoy (jmccoy_at_cmatech.com)
Date: 04/29/03

• Next message: Dajo Rybski: "Re: messenger service/IIS"
• Previous message: Keith W. McCammon: "Re: Packet/Email Encryption Yes or No"
• Next in thread: S. Pidgorny [MVP]: "Re: Need advice for CA Model"
• Reply: S. Pidgorny [MVP]: "Re: Need advice for CA Model"
• Reply: David Cross [MS]: "Re: Need advice for CA Model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Apr 2003 16:34:37 -0400

We have a customer we are setting up PKI for. We are using 2 Windows 2000
servers both for certificates an NT4 server with Exchange 5.5 and an NT4
server OWA with a certificate from a Windows 2000 CA.

Phase one is sending and receiving digitally signed and encrypted email, we
did get that working thanks to earlier help from this group and it works
well with users from the inside and outside.

The original PKI model was a Root Enterprise CA, this is being used for
certificates for all internal users. The second CA was a standalone
subordinate, this was planned to be used for issuing users from outside the
organization certificates to be used for digitally signed email. That was
fine.

The second phase is for outside vendors to be able to access the network via
VPN and digital certificate. Here is where we are in trouble. We can't get
it to work.

We plan to have them get their certificate from the standalone CA, that
isn't working, we get it but receive an error it can't chain back to the
root CA when connecting, we haven't published The root CA for security
cocerns, is it safe to do this? We think not.

We then made the standalone sub a standalone root and have the same error.
Also it seems we need an account in AD to connect. What is the best way to
do this? Is there a good document on MS's site that explains this?

Thanks

John McCoy
jmccoy@cmatech.com

• Next message: Dajo Rybski: "Re: messenger service/IIS"
• Previous message: Keith W. McCammon: "Re: Packet/Email Encryption Yes or No"
• Next in thread: S. Pidgorny [MVP]: "Re: Need advice for CA Model"
• Reply: S. Pidgorny [MVP]: "Re: Need advice for CA Model"
• Reply: David Cross [MS]: "Re: Need advice for CA Model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Certificate Server Hierchy Question ... I think you you use an offline root CA, you will find the burden of manually ... I would like to make the site require client certificates. ... I will keep this server ... (microsoft.public.win2000.security) Re: Secure VPN access ... with it's security option for the client. ... After getting the VPN connection I check the Ip settings and found the ... point to the head ISP's DNS server. ... > Computer certificates for L2TP/IPSec VPN connections ... (microsoft.public.windows.server.sbs) RE: L2TP/IPSEC site-to-site question ... seems more difficult on Windows and Isa 2000 mix, ... If I want to use certificates what type I have to use? ... > site-to-site VPN connection. ... > Site-to-Site VPN in ISA Server 2004 ... (microsoft.public.isa) Re: Vista wireless using IAS and WPA-Enterprise ... certificates, which may be more than the limit that the IAS server can send ... on a Web site or if you use IAS in Windows Server 2003 ... Vista wireless using IAS and WPA-Enterprise ... (microsoft.public.windows.server.networking) Re: Certificate Server Hierchy Question ... These references helped alot and would just like to run my setup by you. ... I would like to make the site require client certificates. ... I will keep this server ... the best setup would be to have a Standalone Root CA ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint