Re: EFS and Certificate Services

From: Rschraeger (Rschraeger_at_discussions.microsoft.com)
Date: 08/25/05 

Date: Thu, 25 Aug 2005 06:46:06 -0700

Paul,

I appreaciate your concern for my training but I beleive that I have all the
training I need. I was only looking for clarification on a few items and for
some reason the Enterprise root CA slipped my mind a little.

I think it is because I'm battleing this problem with multiple certificates
being issued. At this time I can reproduce the problem on a enterprise CA
(yes its online) issuing certs to clients. Yes I also know that Enterprise
CA's should not be issuing certs to clients. Again this is only testing.
Anyway the clients recieve multiple EFS certs from the CA. Looking at the
Certificate requests the clients is requesting a EFS cert...which the ca
gives to the clients then the client requests another. 

-- 
RS
MCSE, MCP +I MCP
"Paul Adare" wrote:
> In article <4784A3B5-D2C8-4FCF-B5F0-46BBAE6DE5C8@microsoft.com>, in the 
> microsoft.public.win2000.security news group, =?Utf-8?B?
> UnNjaHJhZWdlcg==?= <Rschraeger@discussions.microsoft.com> says...
> 
> > I thought the root CA was suppose to be take offline for security reasons.  
> > Is it then better to deploy a standalone root CA with a enterprise sub. CA?  
> > Is that even possible?
> > 
> 
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
> ies/security/ws3pkibp.mspx
> 
> or
> 
> http://tinyurl.com/28cjx
> 
> I'd strongly suggest that you look into taking some training. A PKI that 
> is improperly deployed and secured is worse than not having one at all.
> 
> http://www.microsoft.com/learning/syllabi/en-us/2821Afinal.mspx
> 
> -- 
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern 
> computer geeks finds it impossible to detect a joke that is not clearly 
> labeled as such."
> Ray Shea
>

Relevant Pages