Re: certificate server on 2003 - advice on type selection
From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 10/11/04
- Next message: andy smart: "Re: Strange access attempt"
- Previous message: Miha Pihler: "Re: certificate server on 2003 - advice on type selection"
- In reply to: Miha Pihler: "Re: certificate server on 2003 - advice on type selection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Oct 2004 07:57:07 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Miha Pihler wrote:
| Hi Andy,
|
| You have few options to setup your CA server. First option is to have
| offline CA server. This server should never be on-line. This means
that you
| generate your certificate request on server itself and transfer
certificates
| on floppy or USB drivers...
|
| If you have active directory installed and you want control these users,
| then my advice would be to install Enterprise CA (this would be enterprise
| setup of CA server). Enterprise CA server integrates with AD. One
option you
| have after this is to control certificate issuance based on user
membership
| in a group. E.g. if a user is member of Engineering security group created
| in AD then he can be issued certificate on specific template. You can
still
| hold this issuance till you have a time to examine request and manually
| approve or deny certificate issuance.
|
| Based on what you wrote, I assume you will need to modify certificate
| templates and this can only be done on Windows 2003 Server Enterprise
| Edition...
|
| There are quite a few things you need to plan for. E.g. how to protect
| physical access to CA server and will you have a offline root CA
server and
| below him issuance Enterprise CA server (this is the server that will
| actually issue certificates). Next thing you should plan for where
will you
| publish your CRL (Certificate revocation list) so that it can be
viewed from
| the public, how often will you publish it etc...
|
| Here are some very good white papers and articles from Microsoft on
subject
| of setting up and running Windows 2003 CA server.
|
| New features:
| http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
| Operations guide:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
| Managing PKI:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
| Best Practices:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
| Auto-Enrollment:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
| Certificate templates -
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
| Key archival -
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
| Advanced certificate enrollment:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
| web enrollment:
|
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
| EFS:
| http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
| CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
|
| Mike
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:1097447108.44526.0@iris.uk.clara.net...
|
| Hi
|
| We're in the process of rolling out VPN access to our network, using
| hardware which we were kindly donated. One of the authorisation methods
| our hardware will accept is digital certificates. I think this is likely
| to be the way to go, for ease of user management as much as anything in
| that I can time-limit them (we will want to provide access for short
| periods of time only).
|
| I've been reading the MS documentation and I'm not sure if I want to
| include the CA server in my domain or not. One of the things that the
| docs suggest is that the 'advantage' of this is the it is easy to issue
| certificates autmomatically - I actually want to have very tight control
| over the people to whom we issue them.
|
| I'd be interested in hearing people's thoughts as to the best practice
here.
|
| tia
| andy
|
|
Hi Mike
Thanks, that was the kind of guidence I was looking for. I'll go off and
peruse the white papers.
On first reading of your email using Enterprise and then popping people
into groups sounds like a good plan. We'd be issuing certificates for
differing lengths of time so we could, presumably, pick our groups to
cater for that.
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBai7Dqmlxlf41jHgRAmi5AJ9qtn25qDNgwl0ObJOXpYKmEimwZgCgz6j4
s1wmRwRrbSVNH98iOiHaPME=
=6Sdv
-----END PGP SIGNATURE-----
- Next message: andy smart: "Re: Strange access attempt"
- Previous message: Miha Pihler: "Re: certificate server on 2003 - advice on type selection"
- In reply to: Miha Pihler: "Re: certificate server on 2003 - advice on type selection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
