Re: 2003 PKI Design Question

From: Eric O'Callaghan (eric_ocallaghan_at_hotmail.com)
Date: 02/25/05 

Date: Fri, 25 Feb 2005 08:20:53 -0500

Can I have both the issuing CA that is chained to the external root CA and
the internal PKI publish certs to AD? I really want to avail of the auto
enrollment features of 2003/XP.

Thanks,

Eric

"Paul Adare" <padare@newsguy.com> wrote in message
news:MPG.1c88a0c785930ff2989bb4@msnews.microsoft.com...
> In article <uI621arGFHA.2752@TK2MSFTNGP12.phx.gbl>, in the
> microsoft.public.windows.server.security news group, Mark Gamache
> <mark.gamache@css-security.com.nospam> says...
>
> > Your two basic options are to create your own root and deal with the
issues
> > of it not being trusted by other parties, or you can have your CA signed
by
> > a trusted root and be subject to their terms and conditions.
> >
>
> Actually there is a third option that is probably a better way to go and
> that is to use a combination of the two options.
>
> For certificates that need to be trusted externally, chain an issuing CA
> (there's really no point in having an offline subordinate policy CA here
> as you will be restricted by the external CA's CPS) to an external
> trusted root CA. This would issue S/MIME certs, and possibly code
> signing certs if the code signing certs need to be externally trusted.
>
> For certificates that only need to be (and should only be) trusted
> internally, deploy an internal PKI (2 or 3 tier depending on your
> needs). This would issue EFS and smart card logon certs (and anything
> else that needed only internal trust such as IPSec, 802.1x, etc.).
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)

Relevant Pages

  • Newbie wants to learn about PKI Server 2003......
    ... I have read stuff on Technet, bought Brian Komar's excellent "Windows Server ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... We will publish our CRLs & Certs ... and relying only on AD for the internal users. ...
    (microsoft.public.windows.server.security)
  • Newbie wants to learn about PKI Server 2003.....
    ... I have read stuff on Technet, bought Brian Komar's excellent "Windows Server ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... We will publish our CRLs & Certs ... and relying only on AD for the internal users. ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise root CA not re-trusted after manually deleted
    ... published) autoenrollment queries AD for CA certs and installs them. ... CA certs in AD). ... deleted root certs can automatically return or need a manual repair. ... If root CA certificates are distributed using autonenrollment (meaning ...
    (microsoft.public.windows.server.security)
  • Re: How to extend validity period of Sub CA
    ... > I have an offline root CA ... > Any certs they issue to computers in AD expire in 2006 ... You have to start at the root CA computer and extend the validity period ... Then you have to set the validity periods for certificates issued by the ...
    (microsoft.public.win2000.security)
  • Re: SBS 2003 Premium and Cert Services
    ... Do you care if your certs are "trusted" by your remote computers? ... purchase a root CA cert from a trusted Root CA? ... > I know that SBS creates it's own but it isn't just certs for SBS, ...
    (microsoft.public.windows.server.sbs)