Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- From: "Joe" <jwdaigle@xxxxxxxxxxxxx>
- Date: Tue, 31 Jan 2006 11:43:36 +0800
Hi Steve -
Thanks for the post. The problem is that yes, we will need to have trust
between multiple companies (at least one other besides ours for now, but
probably more later). Is there any way to have my CA cert signed by a
mutual third party? Or can we also exchange certs between the companies,
and trust each others cert maybe?
I will definitely purchase the book you mention, because time is (as always
it seems :-)) of the essence.
As far as standard versus enterprise, we have already purchased/installed
standard rather than enterprise, so we are more or less "stuck" with
standard.
Thanks again for your post,
Joe
"Steven Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23cyzJogJGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
> In medium and larger enterprises there is a lot to be said for having
> offline
> root CA and subordinate CAs. If the root CA is compromised your whole PKI
> is
> compromised and that can be a huge problem. Many small businesses have one
> CA
> and do fine. If no one else, or very few, outside of your company needs to
> trust
> your certificates then it would make sense to use your own CA. Be sure to
> follow
> best practices on securing [including physical security] and backing up
> your CA.
> If an unauthorized person got administrative access to your CA they could
> issue
> certificates to use for authentication, signing, encryption, and possibly
> decrypting other users files/emails that would make your PKI
> untrustworthy. I
> highly recommend that you buy Brian Komar's Microsoft Press book on PKI as
> shown
> at the link below if you want to get up to speed fast. Also keep in mind
> that
> if you can install your CA on Windows 2003 Server Enterprise version
> instead of
> Standard version your CA will be more flexible particularly in using
> version 2
> certificate templates and using Group Policy to issue certificates for
> users
> also. --- Steve
>
> http://www.bookpool.com/sm/0735620210
>
> "Joe" <jwdaigle@xxxxxxxxxxxxx> wrote in message
> news:%23UjvemWJGHA.2088@xxxxxxxxxxxxxxxxxxxxxxx
>> Sorry if this is too much of a newbie question, I am just starting to
>> learn
>> about certificate services & PKI.....
>>
>> We are a relatively small company (<100), but we wish to implement a
>> public
>> key infrastructure using our Server 2003/SP1 servers (all our clients are
>> XP/SP2). We want to have digital signing for files, emails, etc and will
>> also be implementing smartcard login.
>>
>> From my certificate services reading, it seems that we want to have a
>> enterprise level certification authority. So that means we need a root
>> CA
>> and 1 or more subordinate CAs. Also from my reading it seems that
>> securing
>> the root CA is extremely important, and it is recommended that we have
>> the
>> root CA offline and locked up.
>>
>> Being a small company, the cost to do this seems a bit excessive.
>>
>> Would it be possible to have one of the existing well known CAs (verisign
>> or
>> thawte or ...) be our root CA? ie, can we have them sign our subordinate
>> CA's certificate? That would satisfy the "secure/locked up" requirement,
>> right?
>>
>> I have visited both Verisign & Thawte's sites, and couldnt find anything
>> about this.
>>
>> Is this possible? what kind of cost am I looking at to do this?
>>
>> Thanks for any info,
>>
>> Joe
>>
>>
>>
>
>
.
- Follow-Ups:
- References:
- Prev by Date: Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- Next by Date: Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- Previous by thread: Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- Next by thread: Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
- Index(es):
Relevant Pages
|
