Newbie wants to learn about PKI Server 2003......

I am trying to learn what I can about PKI deployment with Server 2003 before
I unleash it on my small company (30 developers). I am the closest thing to
an IT person at the company which is why I drew this duty.

Since I really dislike people that just hop onto a newsgroup without making
an effort to learn basics from books, sites, etc (expecting others to teach
them of course), I am trying to train myself before bothering the rest of
you. Dont worry, I will get to that stage soon enough :-)

I have read stuff on Technet, bought Brian Komar's excellent "Windows Server
2003 PKI Certificate Security", and have been lurking here for a bit.

Is there anything else I can read/do to educate myself on PKI as implemented
in Server 2003?

I believe I understand the concepts and have successfully built a Root CA on
a test system.

At this point in time, I have a rough plan for how to set this all up in my
specific situation, but have loads of questions.

Background:
- Company is small, but most people are technical, so training shouldnt be
much of an issue.
- We generally feel that security is very important, so we would want a
secure design
- We will be needing some kind of cross certification with 1 of our
partners, so this is a requirement.
- All of our desktops are XPSP2. All of our Servers are 2003 R2, one of
them is running Enterprise.
- We are heavily into Active Directory
- We have exactly one domain in our forest.
- We will want issued certificates to "work" outside our firewall
- We do not want to spend much/any money on third party CA solutions

Proposed design:
We will implement a 2 tier heirarchy, with the Root CA being offline. There
will be 1 Issuing CA running Enterprise. We will publish our CRLs & Certs
on an external HTTP URL, and use AD to distribute CRLs & Certs internally.

Questions (feel free to point me somewhere for more information):
- CDPs are really confusing to me. Simple concept until you get down to
implementing them.
- since we want them to be accessible outside our firewall, we cant just
specify LDAP in our lists, right? But on the other hand, we want our
internal users to have fast access to them.
- I am thinking about specifying the external HTTP URL first (to
accomodate external users), and relying only on AD for the internal users.
Do I need to specify anything in the CDP for internal users, or is it
"automatic" once I -dspublish the Root CA?
- The default CDP/AIA has like 4 locations. localfilesystem, LDAP, HTTP
& another I dont remember. Are all of these required? If I dont specify
the localfilesystem, will all my internal users be checking them on the
external HTTP URL?
- When building the Root CA, I took the recommendation from the book about
leaving the CDP & AIA blank in the CAPolicy.inf file. Is that a best
practice (maybe a stupid question cuz its out of a book, but I have been
burned by that assumption before :-))? What actually does that mean? Does
it mean that there is no revocation checking for the Root CA, or does it
mean I cant revoke the SubCA that the Root CA will sign?
- It appears that I can change the AIA & CDP paths any time I want. If I
change them, the only effect this has is for future issued Certs for that
CA, right?
- Once a Root CA is -dspublish'd, how do I "get rid of it"? There doesnt
seem to be a -dsrevoke.
- This brings up the question of what scope a CRL has. Is it only the
parent CA that can revoke a SubCAs Cert? or can a CA revoke its own Cert?

Sorry so long, but I was hoping someone could skim through what I have said
here and tell me if I am headed in the right direction. Thanks!

Joe




.

Relevant Pages

  • Newbie wants to learn about PKI Server 2003.....
    ... I have read stuff on Technet, bought Brian Komar's excellent "Windows Server ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... We will publish our CRLs & Certs ... and relying only on AD for the internal users. ...
    (microsoft.public.windows.server.security)
  • External users vs internal users.
    ... Is it possible to set up Portal Server so that only internal users can see ... the root of the portal? ... I want to be able to allow external users to access workspaces created for ... I'd like to keep the externally available server in a DMZ. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Is this right? Question about SSL and PKI...
    ... >> Since I can download the root CA certs from the commercial CAs, ... >> can just create my own server certificate, what do I even need a server ... >> certificate from a commercial CA? ...
    (sci.crypt)
  • RE: First Enterprise Root CA - [WP]
    ... am getting this error on my Root CA Server ... ... certs are being issue and machine certs are not ... ... make sure that these certs automatically renew after 1 year on the DCs??? ...
    (microsoft.public.security)
  • RFX NETWORKS ALERT
    ... below was posted to some security websites. ... | in security and scalable server management on varying levels. ... Got Root? ... Your Server login ID is: ...
    (alt.linux)