Re: Certificate Server Hierchy Question
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/17/04
- Next message: Andrew Mitchell: "Re: Auditing Users netowrk and TS Client"
- Previous message: jedec: "Re: Return value (2146)."
- In reply to: Rob: "Re: Certificate Server Hierchy Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Mar 2004 05:35:40 -0800
I think you you use an offline root CA, you will find the burden of manually
updating the CRL, etc. very tedious over time very quickly. I would likely
recommend an enterprise root CA to automate your management. In the case of
geographically distributed people with no connectivity to the CA, there is
no easy way. Your solution is likely as good as any.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Rob" <rob@nospam.com> wrote in message news:eo5UCDrCEHA.3408@tk2msftngp13.phx.gbl... > David, > These references helped alot and would just like to run my setup by you. I > have small website that is going to be access by a small number, 15-20, of > users. I would like to make the site require client certificates. Since > there is such a small number of users and because the only thing the > certificate server will be used for is web certificates, I think I can just > make a 1-tier setup with one offline root ca. I will keep this server > unconnected from a network and I will manually create the certificates and > update the CRL. Does this sound ok? > > Also, what's the best way to get a client certificate to a geographically > seperated user short of putting it on a disk and mailing it to them? > > Thanks. > > Rob > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > news:OZG$62DCEHA.3256@TK2MSFTNGP09.phx.gbl... > > These two docs should help you out: > > > > Best Practices: > > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp > > > > > > MSA: > > > http://www.microsoft.com/technet/itsolutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp > > > > > > -- > > > > > > David B. Cross [MS] > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > http://support.microsoft.com > > > > "Rob" <rob@nospam.com> wrote in message > > news:%23Qu8p$6BEHA.1220@TK2MSFTNGP10.phx.gbl... > > > I am trying to set up a website that will require client certificates > and > > I > > > have read through much of what Microsoft has written about Windows 2000 > > > Server Certificate Server but I am a little bit unsure on the hierchy of > > the > > > servers. Any help anyone can provide would be greatly appreciated. > > > > > > From what I gather, the best setup would be to have a Standalone Root CA > > > that is not connected to the network and a Subordinate Root CA that is > > > networked. I am not really clear on why this is. What is on the Root > > that > > > you can't get from the Subordinate? Assuming that this is the > > > configuration, can the Subordinate Root be on the same server as the web > > > server? I know it's possible to do this but is it a big security risk? > > > Does IIS log certificate use so I can know who/when was accessing the > > site? > > > > > > Also, once I have this hierchy ironed out, what is the best/most secure > > way > > > to issue certificates to clients online? > > > > > > Thanks in advance. > > > > > > Rob > > > > > > > > > > > >
- Next message: Andrew Mitchell: "Re: Auditing Users netowrk and TS Client"
- Previous message: jedec: "Re: Return value (2146)."
- In reply to: Rob: "Re: Certificate Server Hierchy Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
