Re: Enterprise Root Ca's x 2?
From: Paul Beyer (paulkbeyer_at_hotmail.com)
Date: 06/19/03
- Next message: Steven L Umbach: "Re: Secure passwords?"
- Previous message: craig: "administrator password"
- In reply to: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
- Next in thread: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
- Reply: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Jun 2003 06:52:56 -0700
Thanks David , thats the answer I wanted..
BUT , now my architecture has changed - or I'm
understanding it more and more I don't know which !
I seem to think that I now would not want to install Root
CA's of either kind as I'm going to have SuperCert's
issued by Thawte for both sites. Would this not mean that
I want to install Subordinate CA's of some description on
both sites as the Root CA will be the Issuing Thawte Root?
I'm just getting Thawte to confirm that I can use these
SuperCerts to issue Exchange User Keys so that our users
can sign their mail and have return mail encrypted to
customers and associates.
How would I set up our CA topology given my new found
situation, or am I talking complete c**p, using the same
disjointed domain structure and the completely seperate
nature that they must adhere to?
Best Regards
Paul Beyer
>-----Original Message-----
>If you absolutely, postively do not want a link between
the two, the best
>practice would be to install a standalone root CA for
each domain tree with
>an enterprise subordinate CA in each domain. Although
this is duplicate
>hierarchy, it is a valid implementation and both
hierarchies would be
>trusted in your forest equally. You would want to ACL
the CA object in the
>enrollment services container to the specific domain -
domainA CA object has
>read only for domaina users and the same for the domainB
CA object. This
>prevents users from domaina getting a cert from CA B.
>
>--
>
>
>David B. Cross [MS]
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>http://support.microsoft.com
>
>"Paul beyer" <paulkbeyer@hotmail.com> wrote in message
>news:095201c33655$e5443b40$a501280a@phx.gbl...
>> I have a AD Forest with two disjointed AD Domians being
>> onecompany.com and differentcorp.co.uk
>>
>> Within this forest/two domains - I'm deploying a PKI to
>> serve web sites with SSL certs and users with Certs to
>> secure and sign email using Exchange Key management
>> services. I'm having to buy two different certs, one for
>> each site as they are completely different , BUT with
>> regard to installing MS CA, you have the four options.
>> Enterprise Root CA
>> Enterprise Sub CA
>> Stand Alone Root CA
>> Stand Alond Sub CA
>>
>> I'm opting for the Enterprise versions as I have AD for
>> the CA's to integrate with - i think thats the right
>> decision so far ..
>> But you see I have two disjointed domains. And more to
the
>> point we cannot have customers discovering we are
>> associated with each other by looking at the certificate
>> path. As by normal train's of thought I'd install the
Root
>> CA in the forest Root Domain and then the Sub CA in the
>> other domain. Bu this would expose our asssociation if
it
>> were to work and also would it work anyway seeing as the
>> second domain is not a direct sub domain of the root and
>> is disjointed?
>>
>> I would assume by the current predicament that I would
>> install a second Enterprise Root CA? but by deifinition
>> and by instructions it seems that the root CA should
only
>> exist once in the Forest seeing as it is AD linked and
>> upon install it says the Root CA should be installed
>> before all others in the enterprise. Doh ..
>>
>> Now I'm stuck .. Can i install a second Root CA seeing
as
>> the domains are disjointed ?
>> Or would I install a Stand Alone Root CA and forfeit all
>> the functionality that the Enterprise one offers?
>>
>> Hope someone can help with this!
>>
>> Best Regards
>>
>> Paul Beyer
>
>
>.
>
- Next message: Steven L Umbach: "Re: Secure passwords?"
- Previous message: craig: "administrator password"
- In reply to: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
- Next in thread: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
- Reply: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
