Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- From: "Steven Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 30 Jan 2006 20:05:00 -0600
In medium and larger enterprises there is a lot to be said for having offline
root CA and subordinate CAs. If the root CA is compromised your whole PKI is
compromised and that can be a huge problem. Many small businesses have one CA
and do fine. If no one else, or very few, outside of your company needs to trust
your certificates then it would make sense to use your own CA. Be sure to follow
best practices on securing [including physical security] and backing up your CA.
If an unauthorized person got administrative access to your CA they could issue
certificates to use for authentication, signing, encryption, and possibly
decrypting other users files/emails that would make your PKI untrustworthy. I
highly recommend that you buy Brian Komar's Microsoft Press book on PKI as shown
at the link below if you want to get up to speed fast. Also keep in mind that
if you can install your CA on Windows 2003 Server Enterprise version instead of
Standard version your CA will be more flexible particularly in using version 2
certificate templates and using Group Policy to issue certificates for users
also. --- Steve
http://www.bookpool.com/sm/0735620210
"Joe" <jwdaigle@xxxxxxxxxxxxx> wrote in message
news:%23UjvemWJGHA.2088@xxxxxxxxxxxxxxxxxxxxxxx
> Sorry if this is too much of a newbie question, I am just starting to learn
> about certificate services & PKI.....
>
> We are a relatively small company (<100), but we wish to implement a public
> key infrastructure using our Server 2003/SP1 servers (all our clients are
> XP/SP2). We want to have digital signing for files, emails, etc and will
> also be implementing smartcard login.
>
> From my certificate services reading, it seems that we want to have a
> enterprise level certification authority. So that means we need a root CA
> and 1 or more subordinate CAs. Also from my reading it seems that securing
> the root CA is extremely important, and it is recommended that we have the
> root CA offline and locked up.
>
> Being a small company, the cost to do this seems a bit excessive.
>
> Would it be possible to have one of the existing well known CAs (verisign or
> thawte or ...) be our root CA? ie, can we have them sign our subordinate
> CA's certificate? That would satisfy the "secure/locked up" requirement,
> right?
>
> I have visited both Verisign & Thawte's sites, and couldnt find anything
> about this.
>
> Is this possible? what kind of cost am I looking at to do this?
>
> Thanks for any info,
>
> Joe
>
>
>
.
- Follow-Ups:
- References:
- Prev by Date: Can't run 16 bit app from network drive in W2003 SP1
- Next by Date: Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- Previous by thread: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- Next by thread: Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- Index(es):
Relevant Pages
|
