Re: Enterprise Root Ca's x 2?

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 06/20/03 

Date: Fri, 20 Jun 2003 05:41:38 -0700

This is fine - you can have Thawte be the root CA and sign both of your
enterprise sub CAs. everything else would remain the same. 

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Paul Beyer" <paulkbeyer@hotmail.com> wrote in message
news:0c8601c3366a$16073430$a601280a@phx.gbl...
> Thanks David , thats the answer I wanted..
>
> BUT , now my architecture has changed - or I'm
> understanding it more and more I don't know which !
>
> I seem to think that I now would not want to install Root
> CA's of either kind as I'm going to have SuperCert's
> issued by Thawte for both sites. Would this not mean that
> I want to install Subordinate CA's of some description on
> both sites as the Root CA will be the Issuing Thawte Root?
>
> I'm just getting Thawte to confirm that I can use these
> SuperCerts to issue Exchange User Keys so that our users
> can sign their mail and have return mail encrypted to
> customers and associates.
>
> How would I set up our CA topology given my new found
> situation, or am I talking complete c**p, using the same
> disjointed domain structure and the completely seperate
> nature that they must adhere to?
>
> Best Regards
>
> Paul Beyer
>
>
> >-----Original Message-----
> >If you absolutely, postively do not want a link between
> the two, the best
> >practice would be to install a standalone root CA for
> each domain tree with
> >an enterprise subordinate CA in each domain.  Although
> this is duplicate
> >hierarchy, it is a valid implementation and both
> hierarchies would be
> >trusted in your forest equally.  You would want to ACL
> the CA object in the
> >enrollment services container to the specific domain -
> domainA CA object has
> >read only for domaina users and the same for the domainB
> CA object.  This
> >prevents users from domaina getting a cert from CA B.
> >
> >-- 
> >
> >
> >David B. Cross [MS]
> >
> >--
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >
> >http://support.microsoft.com
> >
> >"Paul beyer" <paulkbeyer@hotmail.com> wrote in message
> >news:095201c33655$e5443b40$a501280a@phx.gbl...
> >> I have a AD Forest with two disjointed AD Domians being
> >> onecompany.com and differentcorp.co.uk
> >>
> >> Within this forest/two domains - I'm deploying a PKI to
> >> serve web sites with SSL certs and users with Certs to
> >> secure and sign email using Exchange Key management
> >> services. I'm having to buy two different certs, one for
> >> each site as they are completely different , BUT with
> >> regard to installing MS CA, you have the four options.
> >> Enterprise Root CA
> >> Enterprise Sub CA
> >> Stand Alone Root CA
> >> Stand Alond Sub CA
> >>
> >> I'm opting for the Enterprise versions as I have AD for
> >> the CA's to integrate with - i think thats the right
> >> decision so far ..
> >> But you see I have two disjointed domains. And more to
> the
> >> point we cannot have customers discovering we are
> >> associated with each other by looking at the certificate
> >> path. As by normal train's of thought I'd install the
> Root
> >> CA in the forest Root Domain and then the Sub CA in the
> >> other domain. Bu this would expose our asssociation if
> it
> >> were to work and also would it work anyway seeing as the
> >> second domain is not a direct sub domain of the root and
> >> is disjointed?
> >>
> >> I would assume by the current predicament that I would
> >> install a second Enterprise Root CA? but by deifinition
> >> and by instructions it seems that the root CA should
> only
> >> exist once in the Forest seeing as it is AD linked and
> >> upon install it says the Root CA should be installed
> >> before all others in the enterprise. Doh ..
> >>
> >> Now I'm stuck .. Can i install a second Root CA seeing
> as
> >> the domains are disjointed ?
> >> Or would I install a Stand Alone Root CA and forfeit all
> >> the functionality that the Enterprise one offers?
> >>
> >> Hope someone can help with this!
> >>
> >> Best Regards
> >>
> >> Paul Beyer
> >
> >
> >.
> >

Relevant Pages

  • Re: Enterprise Root Cas x 2?
    ... I seem to think that I now would not want to install Root ... >an enterprise subordinate CA in each domain. ... >> Stand Alond Sub CA ...
    (microsoft.public.win2000.security)
  • Enterprise Root Cas x 2?
    ... I have a AD Forest with two disjointed AD Domians being ... Enterprise Root CA ... Stand Alone Root CA ... As by normal train's of thought I'd install the Root ...
    (microsoft.public.win2000.security)
  • Re: Enterprise Root Cas x 2?
    ... an enterprise subordinate CA in each domain. ... trusted in your forest equally. ... > Enterprise Root CA ... As by normal train's of thought I'd install the Root ...
    (microsoft.public.win2000.security)
  • Re: AD design question
    ... The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised. ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: do i need an Enterprise version to auto-enroll user certificate
    ... Root CA is enterprise version,does the sub CA need to be an ... What if Root CA is ... std version but sub CA is enterprise version, ... your certificate issuing CA, then the Enterprise Sub CA must be Enterprise ...
    (microsoft.public.windows.server.active_directory)