Re: Offline Root Certificate Server and subordinate CA
From: TKLOSE (TKLOSE_at_discussions.microsoft.com)
Date: 03/16/05
- Next message: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Previous message: Craig: "DCOM Autho Error 529 and 681 with Default Authentication Level = N"
- In reply to: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Next in thread: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Reply: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Mar 2005 13:07:01 -0800
Hi Steve,
It appears that I did not correctly set up my CRL and AIA publication
settings from the get go.
I deployed my enterprise offline root and subordinate CA with these defaults.
I am using AD and GP with autoenrollment for deploying ONLY the certificate
chain to the client computers .
I currently have a limited internal cert deployment, only for PEAP for
wireless.
I hope there is an easy fix...
I see where to change the CRL, AIA settings .....After I update them
Do I have to re-issue all the published certificates? And/or will the
changes (if allowed) propagate down the chain?
I also read, that it is recommended to configure empty CDP and AIA ext to
ensure that the certificate chaning engine does not perform revo checking on
the rootCA. Do you agree?
Before I set my CRL and AIA.....
I need to plan ahead for the day my subordinate server is replaced with
another, and want to have a consistent dns cname for the CRL and AIA files (
I don't want to use a server name) . I prefer to use the LDAP or a DNS
pointer to the current subordinate CA http.
"Steven L Umbach" wrote:
> Possibly the links below will help. When you install a offline CA you need
> to make sure that you change the location for the CRL/AIA so that it is
> available and you also need to update the crl for the offline CA to keep it
> current. Look in the Event Viewer of the subordinate CA for any pertinent
> events that may be helpful.--- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CS_Checklist_offline.asp
> -- installing an offline CA.
>
> "TKLOSE" <TKLOSE@discussions.microsoft.com> wrote in message
> news:49D8B6C8-1976-48B6-B00C-F2DB5EF962E0@microsoft.com...
> > As recomended, I keep my domains root CA offline.
> > My suborinate CA, works good in delivering the certs to the domain
> > clients.
> >
> > However, when ever I need to request a certificate to a web server or
> > other,
> > the subordiante hangs and throughs an error on the certsrv web page.
> >
> > If I put the root server back online, this does not occur.
> >
> >
> > What does the suborniate need, to be independant of the root server to
> > allow
> > certificates to be requested? What is is looking for from the root server?
> >
> >
> >
>
>
>
- Next message: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Previous message: Craig: "DCOM Autho Error 529 and 681 with Default Authentication Level = N"
- In reply to: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Next in thread: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Reply: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
