Re: 2003 PKI Design Question

From: Mark Gamache (mark.gamache_at_css-security.com.nospam)
Date: 02/24/05

  • Next message: Steve Clark [MSFT]: "Re: IPSEC" 
    Date: Thu, 24 Feb 2005 13:21:08 -0800

    As long as your certs chain to a trusted root, they will work for external
    parties, assuming the root is trusted by the other party. Many
    organizations remove the standard MS trusted Root entries.

    Any third party trusted root will require very rigorous vetting processes
    for issuing certs. You are best to seek their advice as the policies and
    procedures are gong to vary from vendor to vendor.

    There are many ways to generate self signed certs, which don't chain to
    trusted roots. Not all applications will accept them though.

    The design really depends on the business need and the process you are going
    to protect. You may not need to be chained to a trusted root.

    Your two basic options are to create your own root and deal with the issues
    of it not being trusted by other parties, or you can have your CA signed by
    a trusted root and be subject to their terms and conditions.

    I hope that helps a little, it seems lake a pretty vague answer.

    Cheers, 

    -- 
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Eric O'Callaghan" <eric_ocallaghan@hotmail.com> wrote in message 
news:e8ttBMrGFHA.584@TK2MSFTNGP14.phx.gbl...
> Hi All,
>
> I want to deploy a Intermediate CA (standalone subordinate to a third 
> party
> Trusted Root CA) and an Enterprise Issuing CA (sub to the Inetrmediate CA)
> to avail of the auto-enrollment feature.
> I plan to distribute the following types of certificates:
>
> Digital Signatures
> Secure Messaging Certificates (S/MIME)
> EFS Certificates
> Certificates for authentication (via smart cards)
> Code Signing certificates
>
> My questions are:
> Will digital signatures & certificates issued to my users by the internal
> issuing CA be trusted by external parties?
> Is there a better way to do this? Am I opening up a potential can of worms
> security wise with a Trusted Root CA?
> Is it possible to generate certificate that do not chain to the trusted 
> root
> such as EFS/Authenication certs (via Policy CA)?
>
> Sorry for the 'dumb' questions but I'm pretty new to PKI and just want to 
> be
> sure where I should be headed.
>
> Thanks for your help.
>
>
  • Next message: Steve Clark [MSFT]: "Re: IPSEC"

    Relevant Pages

    • 2003 PKI Design Question
      ... Trusted Root CA) and an Enterprise Issuing CA ... I plan to distribute the following types of certificates: ... Will digital signatures & certificates issued to my users by the internal ...
      (microsoft.public.windows.server.security)
    • I want to become a Certified CA (thanks)
      ... >manual install of my certificate into their Trusted Root ... >be allowed to issue/sign certificates. ... >sign my certificates just to do SSL AND I also do not ... >If becoming a CA costs too much as well, ...
      (microsoft.public.inetserver.iis.security)
    • Re: Import SSL certificate into Trusted Root
      ... You may possibly be installing it under user account rather than computer. ... You should now have Certificates for Local Computer under your console ... Right click on Trusted Root Certfication Authorities, ... and that Trusted Root Cert Authorities is selected for Certificate Store ...
      (microsoft.public.exchange.admin)
    • Re: Still cannot install 831464 hot fix..
      ... Check the local computer certificate store to see if the Trusted Root ... Certificates have been deleted or corrupted. ...
      (microsoft.public.windows.server.sbs)
    • GPO for trusted root CA certs
      ... I'd like to know how GPOs are protected against being forged. ... I'd have the task to design a GPO for trusted root CA certs which ...
      (microsoft.public.windows.server.security)