Re: Enterprise Root Ca's x 2?

From: Paul Beyer (paulkbeyer_at_hotmail.com)
Date: 06/19/03

• Next message: Steven L Umbach: "Re: Secure passwords?"
• Previous message: craig: "administrator password"
• In reply to: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
• Next in thread: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
• Reply: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 19 Jun 2003 06:52:56 -0700

Thanks David , thats the answer I wanted..

BUT , now my architecture has changed - or I'm
understanding it more and more I don't know which !

I seem to think that I now would not want to install Root
CA's of either kind as I'm going to have SuperCert's
issued by Thawte for both sites. Would this not mean that
I want to install Subordinate CA's of some description on
both sites as the Root CA will be the Issuing Thawte Root?

I'm just getting Thawte to confirm that I can use these
SuperCerts to issue Exchange User Keys so that our users
can sign their mail and have return mail encrypted to
customers and associates.

How would I set up our CA topology given my new found
situation, or am I talking complete c**p, using the same
disjointed domain structure and the completely seperate
nature that they must adhere to?

Best Regards

Paul Beyer

>-----Original Message-----
>If you absolutely, postively do not want a link between
the two, the best
>practice would be to install a standalone root CA for
each domain tree with
>an enterprise subordinate CA in each domain. Although
this is duplicate
>hierarchy, it is a valid implementation and both
hierarchies would be
>trusted in your forest equally. You would want to ACL
the CA object in the
>enrollment services container to the specific domain -
domainA CA object has
>read only for domaina users and the same for the domainB
CA object. This
>prevents users from domaina getting a cert from CA B.
>
>--
>
>
>David B. Cross [MS]
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>http://support.microsoft.com
>
>"Paul beyer" <paulkbeyer@hotmail.com> wrote in message
>news:095201c33655$e5443b40$a501280a@phx.gbl...
>> I have a AD Forest with two disjointed AD Domians being
>> onecompany.com and differentcorp.co.uk
>>
>> Within this forest/two domains - I'm deploying a PKI to
>> serve web sites with SSL certs and users with Certs to
>> secure and sign email using Exchange Key management
>> services. I'm having to buy two different certs, one for
>> each site as they are completely different , BUT with
>> regard to installing MS CA, you have the four options.
>> Enterprise Root CA
>> Enterprise Sub CA
>> Stand Alone Root CA
>> Stand Alond Sub CA
>>
>> I'm opting for the Enterprise versions as I have AD for
>> the CA's to integrate with - i think thats the right
>> decision so far ..
>> But you see I have two disjointed domains. And more to
the
>> point we cannot have customers discovering we are
>> associated with each other by looking at the certificate
>> path. As by normal train's of thought I'd install the
Root
>> CA in the forest Root Domain and then the Sub CA in the
>> other domain. Bu this would expose our asssociation if
it
>> were to work and also would it work anyway seeing as the
>> second domain is not a direct sub domain of the root and
>> is disjointed?
>>
>> I would assume by the current predicament that I would
>> install a second Enterprise Root CA? but by deifinition
>> and by instructions it seems that the root CA should
only
>> exist once in the Forest seeing as it is AD linked and
>> upon install it says the Root CA should be installed
>> before all others in the enterprise. Doh ..
>>
>> Now I'm stuck .. Can i install a second Root CA seeing
as
>> the domains are disjointed ?
>> Or would I install a Stand Alone Root CA and forfeit all
>> the functionality that the Enterprise one offers?
>>
>> Hope someone can help with this!
>>
>> Best Regards
>>
>> Paul Beyer
>
>
>.
>

---

• Next message: Steven L Umbach: "Re: Secure passwords?"
• Previous message: craig: "administrator password"
• In reply to: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
• Next in thread: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
• Reply: David Cross [MS]: "Re: Enterprise Root Ca's x 2?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Enterprise Root Cas x 2? ... This is fine - you can have Thawte be the root CA and sign both of your ... > I seem to think that I now would not want to install Root ... >>an enterprise subordinate CA in each domain. ... >>> Enterprise Sub CA ... (microsoft.public.win2000.security) RE: Location of web root ... Subject: Location of web root ... during install) pointing out that a Custom install will allow for a more ... in a different folder off C:. ... were the script kiddie, how would you exploit the machine. ... (Security-Basics) Re: Alerting - Malicious software removal tool ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ... (microsoft.public.security.virus) Re: Installing a Enterprise Root CA in a mixed mode environment ... Enterprise Root CA. ... Enterprise Admins group for the forest and local admin on the server you are ... Install a Windows 2003 PKI on a W2000 AD ... (microsoft.public.windows.server.active_directory) Re: Installing a Enterprise Root CA in a mixed mode environment ... Enterprise Root CA. ... Enterprise Admins group for the forest and local admin on the server you are ... Install a Windows 2003 PKI on a W2000 AD ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)