Re: Global Repository for Externally Generated Certificates

From: Rick A. Butler (orion2634_at_yahoo.com)
Date: 07/27/04 

Date: Tue, 27 Jul 2004 14:56:40 -0600

Corey -

That would be insanely nice and make tremendous sense. However, comma, the
Department of Defense has not opted to allow companies to set up an
enterprise CA to that organizations could manage their own certificates. The
current IECA program only allows certificates for servers (like web servers
and that sort of thing).

So, we have to have about 200 people get certificates directly from
Verisign. Notwithstanding the pain of revocation...Glass of milk? No thanks,
I'll drink it straight from the cow.

*sigh*

So, I need to find a nifty way to manage these 200 certificates globally
until we get clearance from DoD to set up an Enterprise CA.

-R

"Corey Hynes" <coreyhy@msn.com> wrote in message
news:eDdr9QlcEHA.212@TK2MSFTNGP12.phx.gbl...
> Have you considered using a subordinate CA that has been signed by one the
> root CA's you trust. This will allow you to control the issuance and
> revocation of your own certificates, while maintaining trust. Not all
> comercial CA's offer this service, so you will have to do some research.
>
> "Rick A. Butler" <orion2634@yahoo.com> wrote in message
> news:%23yR6EAFcEHA.1656@TK2MSFTNGP09.phx.gbl...
> > Hello Group!
> >
> > As part of the Department of Defense's IECA program for communications
to
> > DoD personnel, they DoD is moving to Certificate driven communications.
As
> > part of IECA, people needing to communicate with DoD will have to
> provision
> > a Certificate from a Trusted Root Authority, such as Verisign.
Currently,
> > the program is not enrolling Server Certificates, so deploying an
> Enterprise
> > CA isn't going to work for me.
> >
> > We're ordering about 200 certificates from Verisign so that we can
> digitally
> > secure traffic for communication to DoD.
> >
> > Has anyone here ever had to deal with a massive number of certificates
> from
> > an external CA, and what's the best practice for management, short of
> using
> > Excel to manage them all? Is there a way to import them into sort of a
> > global store that's accessible by all and that will allow me to also do
> > revokations?
> >
> > My network is a Windows 2000 Native Active Directory, with MS Exchange
> 2000
> > as my principle messaging platform.
> >
> > Thanks in Advance -
> >
> > Rick Butler
> >
> >
>
>

Relevant Pages

  • Global Repository for Externally Generated Certificates
    ... As part of the Department of Defense's IECA program for communications to ... DoD personnel, they DoD is moving to Certificate driven communications. ... the program is not enrolling Server Certificates, ...
    (microsoft.public.windows.server.security)
  • Re: 2003/R2 certificate server questions
    ... running OPenSSL to service requests from Linux/samba ... certificates, but I also want to be able to issue random certificates ... Make sure you are running on Enterprise Edition, ... Automatic certs, Key archival and recovery, customizable ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... we will need to have trust ... As far as standard versus enterprise, ... If the root CA is compromised your whole PKI ... > your certificates then it would make sense to use your own CA. ...
    (microsoft.public.windows.server.security)
  • Re: client user certificates
    ... in certificates using Windows Server 2003 Enterprise Edition Enterprise CAs ... but it would be nice if there was a way to autoenroll the user. ... We have a Windows Server 2003 domain environment with a Enterprise ...
    (microsoft.public.windows.server.active_directory)
  • RE: CA Client Certificates only expire in one years time
    ... If this was installed as an Enterprise CA this is normal. ... which in v1 templates cannot be modified. ... "For certificates that are issued by Enterprise CAs, the validity period is ...
    (microsoft.public.windows.server.general)