Re: Need advice for CA Model
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 04/30/03
- Next message: David Cross [MS]: "Re: View certificate database"
- Previous message: David Cross [MS]: "Re: Import RSA keys for IPSec connection W2K-Red Hat Linux"
- In reply to: John McCoy: "Need advice for CA Model"
- Next in thread: John McCoy: "Re: Need advice for CA Model"
- Reply: John McCoy: "Re: Need advice for CA Model"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Apr 2003 05:45:01 -0700
The root CA must be trusted on all the clients that will enroll to the
enterprise or subCA. If you are going to require user authentication using
certificates, each certificate must correspond to a user in AD with a UPN
mapping to authenticate the user. The enterprise CA automatically creates
this mapping, but you still need an AD account for each user.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "John McCoy" <jmccoy@cmatech.com> wrote in message news:%23ROTx6oDDHA.3072@TK2MSFTNGP11.phx.gbl... > We have a customer we are setting up PKI for. We are using 2 Windows 2000 > servers both for certificates an NT4 server with Exchange 5.5 and an NT4 > server OWA with a certificate from a Windows 2000 CA. > > Phase one is sending and receiving digitally signed and encrypted email, we > did get that working thanks to earlier help from this group and it works > well with users from the inside and outside. > > The original PKI model was a Root Enterprise CA, this is being used for > certificates for all internal users. The second CA was a standalone > subordinate, this was planned to be used for issuing users from outside the > organization certificates to be used for digitally signed email. That was > fine. > > The second phase is for outside vendors to be able to access the network via > VPN and digital certificate. Here is where we are in trouble. We can't get > it to work. > > We plan to have them get their certificate from the standalone CA, that > isn't working, we get it but receive an error it can't chain back to the > root CA when connecting, we haven't published The root CA for security > cocerns, is it safe to do this? We think not. > > We then made the standalone sub a standalone root and have the same error. > Also it seems we need an account in AD to connect. What is the best way to > do this? Is there a good document on MS's site that explains this? > > Thanks > > John McCoy > jmccoy@cmatech.com > > > >
- Next message: David Cross [MS]: "Re: View certificate database"
- Previous message: David Cross [MS]: "Re: Import RSA keys for IPSec connection W2K-Red Hat Linux"
- In reply to: John McCoy: "Need advice for CA Model"
- Next in thread: John McCoy: "Re: Need advice for CA Model"
- Reply: John McCoy: "Re: Need advice for CA Model"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
