Re: Public Key on Enterprise CA

From: Laudon Williams [MSFT] (laudonw_at_online.microsoft.com)
Date: 10/17/03 

Date: Fri, 17 Oct 2003 08:21:34 -0700

Dave, I cannot provide you with specific recommendations, but I can tell you
that RSA Security, VeriSign, and GeoTrust all offer programs where they will
sign your CA. We are seeing more people look at this option in order to use
the automated certificate issuance and renewal capabilities of the Windows
2000 or Windows Server 2003 Enterprise CA. It is primarily the ease of
issuance and management that makes this interesting versus enrolling
directly to the public CA. 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Dave" <nospam@hotmail.com> wrote in message
news:Of2Q57LlDHA.1096@TK2MSFTNGP11.phx.gbl...
> I am trying to do exactly the same thing.  I see that Verisign will sell
you
> digital certificates for about $15 per user.  This is if you go to them
> directly and there is no Win2K subordinate CA involved.  Is there any cost
> savings by managing your own subordinate CA with Verisign as the root CA
to
> issue digital certificates for secure email?  Do you have any ideas what
> trusted CA is the best value, Verisign, etc?
>
> "Laudon Williams [MSFT]" <laudonw@online.microsoft.com> wrote in message
> news:uwE9olLlDHA.2068@TK2MSFTNGP09.phx.gbl...
> > OK, got it.
> >
> > This is really going to be driven by the public root that you are
chaining
> > to. They will have different requirements around what type of CA that
they
> > will sign, and what types of certificates they will let you issue.
> >
> > For the most part, I would use a second CA just to issue certificates
that
> > chain to that root. That way you can use the current CA to issue
low-cost
> > certificates for authentication, and use the other CA to issue S/MIME
> certs
> > only to the people who need them (if it chains to a public root, you
will
> be
> > paying a per-certificate charge). The cost savings should justify the
> second
> > CA, but it will be really easy for you to determine that once you look
at
> > pricing.
> >
> > -- 
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Tim Guy" <tim@hurtwood.demonREMOVE.SPAM.co.uk> wrote in message
> > news:Ox6TpmIlDHA.644@TK2MSFTNGP11.phx.gbl...
> > > I already have an enterprise CA installed into an AD but with a
private
> > root
> > > key. This CA is doing 802.1x functions.
> > >
> > > The customer now wants to use the CA to validate Emails. To do this,
Im
> > > going to need a Public root key, yeah?
> > >
> > > So to do this can I:
> > >
> > > Add a public key to the Enterprise CA that is already install
> > >
> > > or
> > >
> > > Do I have to loose the current CA and reinstall it but with a public
> root
> > > key
> > >
> > > or
> > >
> > > Can one cert srv not provide public and AD certificates at the same
time
> > and
> > > I need to cert srvs, one public and on enterprise AD???
> > >
> > >
> > > "Laudon Williams [MSFT]" <laudonw@online.microsoft.com> wrote in
message
> > > news:uP64xF0kDHA.744@tk2msftngp13.phx.gbl...
> > > > Tim, I'm unclear on exactly what you are trying to do. Are you
asking
> if
> > a
> > > > given Certificate Services instance can have two CAs?
> > > >
> > > > -- 
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > >
> > > > "Tim Guy" <tim@hurtwood.demonREMOVE.SPAM.co.uk> wrote in message
> > > > news:%23u0lMdykDHA.3320@tk2msftngp13.phx.gbl...
> > > > > Can anyone point me to any Q's on how to do this please.
> > > > >
> > > > > Can I have an Enterprise CA that is well established and then add
a
> > > public
> > > > > key without loosing the certificates that are already give
out?????
> > > > >
> > > > > Or do I have to start from the beginning again.
> > > > >
> > > > > This is going on from a post a few days ago where I am/have
> installed
> > a
> > > > > Enterprise CA for a customer to use 802.1x wireless EAP but now
the
> > > > customer
> > > > > wants to take advange of that CA and use it for external mail
> > > certificates
> > > > > which will required a public key.
> > > > >
> > > > > Reagrds
> > > > >
> > > > > Tim
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... we will need to have trust ... As far as standard versus enterprise, ... If the root CA is compromised your whole PKI ... > your certificates then it would make sense to use your own CA. ...
    (microsoft.public.windows.server.security)
  • Re: Standalone/ Enterprise CA issue
    ... > Subordinate Enterprise CA, running on AD ... > with standalone as Root, while Subordinate with Enterprise CA? ... Autorenew and autoenroll which certificates? ...
    (microsoft.public.security)
  • Re: Digital ID
    ... > server and then get a license from VeriSign to issue out their certificates. ... It means that you don't install your own root CA and a subordinate CA. ... You then issue your own S/MIME certificates. ... certificates, you're issuing your own. ...
    (microsoft.public.security)
  • Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... If the root CA is compromised your whole PKI is ... your certificates then it would make sense to use your own CA. ... > enterprise level certification authority. ... > and 1 or more subordinate CAs. ...
    (microsoft.public.windows.server.security)
  • Re: Need advice for CA Model
    ... > The root CA must be trusted on all the clients that will enroll to the ... > certificates, each certificate must correspond to a user in AD with a UPN ... The enterprise CA automatically creates ... The second CA was a standalone ...
    (microsoft.public.win2000.security)