Re: DCOM error with NTBACKUP and Certificate Services

From: Brian Komar (bkomar_at_komarconsulting.com.nospam)
Date: 12/30/03 

Date: Tue, 30 Dec 2003 11:43:27 -0600

In article <002601c3cef1$6794efc0$a301280a@phx.gbl>,
anonymous@discussions.microsoft.com says...
> Hi Brian
>
> thanks for the comments and links - I'll alter my
> configuration to allow for an online enterprise root CA -
> however I've spent most of the day looking for details on
> how to configure root so it only issues to subordinate -
> as far as I can see I need to change the security settings
> on the either the Certification Authority (just give
> Authenticated Users Read access) or on individual
> certificate templates (in Sites and Services), but I've
> not found any clear documentation on how best to do this.
>
> again, thanks
>
> regards
> paul
<snip>

If you only want the online enterprise root CA to issue certificates to
subordinate CAs, then you must only publish the Subordinate
Certification Authority certificate template at the online root CA.

To do this, open the Certification Authority console, and click the
Certificate templates (or Policy Settings container in 2k), and then
remove all certificate templates except the Subordinate Certification
Authority certificate template.

In addition, you can set the permissions on the certificate template to
limit who can enroll the template. Use Certtmpl.msc if using Windows
2003 or AD Sites and Services if using 2k.

Brian