Re: Enterprise Root Ca's x 2?
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 06/19/03
- Next message: David Cross [MS]: "Re: How to refresh CRL cache?"
- Previous message: Andrew: "Permissions not working properly"
- In reply to: Paul beyer: "Enterprise Root Ca's x 2?"
- Next in thread: Paul Beyer: "Re: Enterprise Root Ca's x 2?"
- Reply: Paul Beyer: "Re: Enterprise Root Ca's x 2?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Jun 2003 05:46:21 -0700
If you absolutely, postively do not want a link between the two, the best
practice would be to install a standalone root CA for each domain tree with
an enterprise subordinate CA in each domain. Although this is duplicate
hierarchy, it is a valid implementation and both hierarchies would be
trusted in your forest equally. You would want to ACL the CA object in the
enrollment services container to the specific domain - domainA CA object has
read only for domaina users and the same for the domainB CA object. This
prevents users from domaina getting a cert from CA B.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Paul beyer" <paulkbeyer@hotmail.com> wrote in message news:095201c33655$e5443b40$a501280a@phx.gbl... > I have a AD Forest with two disjointed AD Domians being > onecompany.com and differentcorp.co.uk > > Within this forest/two domains - I'm deploying a PKI to > serve web sites with SSL certs and users with Certs to > secure and sign email using Exchange Key management > services. I'm having to buy two different certs, one for > each site as they are completely different , BUT with > regard to installing MS CA, you have the four options. > Enterprise Root CA > Enterprise Sub CA > Stand Alone Root CA > Stand Alond Sub CA > > I'm opting for the Enterprise versions as I have AD for > the CA's to integrate with - i think thats the right > decision so far .. > But you see I have two disjointed domains. And more to the > point we cannot have customers discovering we are > associated with each other by looking at the certificate > path. As by normal train's of thought I'd install the Root > CA in the forest Root Domain and then the Sub CA in the > other domain. Bu this would expose our asssociation if it > were to work and also would it work anyway seeing as the > second domain is not a direct sub domain of the root and > is disjointed? > > I would assume by the current predicament that I would > install a second Enterprise Root CA? but by deifinition > and by instructions it seems that the root CA should only > exist once in the Forest seeing as it is AD linked and > upon install it says the Root CA should be installed > before all others in the enterprise. Doh .. > > Now I'm stuck .. Can i install a second Root CA seeing as > the domains are disjointed ? > Or would I install a Stand Alone Root CA and forfeit all > the functionality that the Enterprise one offers? > > Hope someone can help with this! > > Best Regards > > Paul Beyer
- Next message: David Cross [MS]: "Re: How to refresh CRL cache?"
- Previous message: Andrew: "Permissions not working properly"
- In reply to: Paul beyer: "Enterprise Root Ca's x 2?"
- Next in thread: Paul Beyer: "Re: Enterprise Root Ca's x 2?"
- Reply: Paul Beyer: "Re: Enterprise Root Ca's x 2?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
