Re: Need advice for CA Model
From: John McCoy (jmccoy_at_cmatech.com)
Date: 04/30/03
- Next message: Dominique: "How do i refuse internet connection to a computer on my LAN"
- Previous message: David Cross [MS]: "Re: View certificate database"
- In reply to: David Cross [MS]: "Re: Need advice for CA Model"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Apr 2003 09:04:37 -0400
Thanks, that does answer that question.
"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:ObUzLZxDDHA.2892@TK2MSFTNGP11.phx.gbl...
> The root CA must be trusted on all the clients that will enroll to the
> enterprise or subCA. If you are going to require user authentication
using
> certificates, each certificate must correspond to a user in AD with a UPN
> mapping to authenticate the user. The enterprise CA automatically creates
> this mapping, but you still need an AD account for each user.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "John McCoy" <jmccoy@cmatech.com> wrote in message
> news:%23ROTx6oDDHA.3072@TK2MSFTNGP11.phx.gbl...
> > We have a customer we are setting up PKI for. We are using 2 Windows
2000
> > servers both for certificates an NT4 server with Exchange 5.5 and an NT4
> > server OWA with a certificate from a Windows 2000 CA.
> >
> > Phase one is sending and receiving digitally signed and encrypted email,
> we
> > did get that working thanks to earlier help from this group and it works
> > well with users from the inside and outside.
> >
> > The original PKI model was a Root Enterprise CA, this is being used for
> > certificates for all internal users. The second CA was a standalone
> > subordinate, this was planned to be used for issuing users from outside
> the
> > organization certificates to be used for digitally signed email. That
was
> > fine.
> >
> > The second phase is for outside vendors to be able to access the network
> via
> > VPN and digital certificate. Here is where we are in trouble. We can't
get
> > it to work.
> >
> > We plan to have them get their certificate from the standalone CA, that
> > isn't working, we get it but receive an error it can't chain back to the
> > root CA when connecting, we haven't published The root CA for security
> > cocerns, is it safe to do this? We think not.
> >
> > We then made the standalone sub a standalone root and have the same
error.
> > Also it seems we need an account in AD to connect. What is the best way
to
> > do this? Is there a good document on MS's site that explains this?
> >
> > Thanks
> >
> > John McCoy
> > jmccoy@cmatech.com
> >
> >
> >
> >
>
>
- Next message: Dominique: "How do i refuse internet connection to a computer on my LAN"
- Previous message: David Cross [MS]: "Re: View certificate database"
- In reply to: David Cross [MS]: "Re: Need advice for CA Model"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
