Re: Certificate Server Hierchy Question
From: Rob (rob_at_nospam.com)
Date: 03/15/04
- Next message: Sam Ramsey: "Exchange 2000"
- Previous message: Ozone: "Re: guest account"
- In reply to: David Cross [MS]: "Re: Certificate Server Hierchy Question"
- Next in thread: David Cross [MS]: "Re: Certificate Server Hierchy Question"
- Reply: David Cross [MS]: "Re: Certificate Server Hierchy Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Mar 2004 12:12:53 -0500
David,
These references helped alot and would just like to run my setup by you. I
have small website that is going to be access by a small number, 15-20, of
users. I would like to make the site require client certificates. Since
there is such a small number of users and because the only thing the
certificate server will be used for is web certificates, I think I can just
make a 1-tier setup with one offline root ca. I will keep this server
unconnected from a network and I will manually create the certificates and
update the CRL. Does this sound ok?
Also, what's the best way to get a client certificate to a geographically
seperated user short of putting it on a disk and mailing it to them?
Thanks.
Rob
"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:OZG$62DCEHA.3256@TK2MSFTNGP09.phx.gbl...
> These two docs should help you out:
>
> Best Practices:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp
>
>
> MSA:
>
http://www.microsoft.com/technet/itsolutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp
>
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Rob" <rob@nospam.com> wrote in message
> news:%23Qu8p$6BEHA.1220@TK2MSFTNGP10.phx.gbl...
> > I am trying to set up a website that will require client certificates
and
> I
> > have read through much of what Microsoft has written about Windows 2000
> > Server Certificate Server but I am a little bit unsure on the hierchy of
> the
> > servers. Any help anyone can provide would be greatly appreciated.
> >
> > From what I gather, the best setup would be to have a Standalone Root CA
> > that is not connected to the network and a Subordinate Root CA that is
> > networked. I am not really clear on why this is. What is on the Root
> that
> > you can't get from the Subordinate? Assuming that this is the
> > configuration, can the Subordinate Root be on the same server as the web
> > server? I know it's possible to do this but is it a big security risk?
> > Does IIS log certificate use so I can know who/when was accessing the
> site?
> >
> > Also, once I have this hierchy ironed out, what is the best/most secure
> way
> > to issue certificates to clients online?
> >
> > Thanks in advance.
> >
> > Rob
> >
> >
>
>
- Next message: Sam Ramsey: "Exchange 2000"
- Previous message: Ozone: "Re: guest account"
- In reply to: David Cross [MS]: "Re: Certificate Server Hierchy Question"
- Next in thread: David Cross [MS]: "Re: Certificate Server Hierchy Question"
- Reply: David Cross [MS]: "Re: Certificate Server Hierchy Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
