Re: how many CA's (cross posted...)
- From: Marco Tonoli <MarcoTonoli@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Oct 2006 10:16:02 -0700
Thanks Mario, you help was very useful.
Marco
"MarioC" wrote:
.
"Marco Tonoli" <MarcoTonoli@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:24BDF016-A293-4019-88CA-2E5AE8D055CD@xxxxxxxxxxxxxxxx
ok, so i issue a certificate from central, then crl and aia will found
locally trough the local DC because i correctly set "site and service"
applet. correct ?
Correct.
Perfect.
If there is a problem on the line to-from branch office... wht typi of
result i can have ? I thnk only problem if i need to rennovate a certificate,
so think is better to issue certificate with duration long, something like 30
gg and hope 30th day line is ok. Correct ?
If the line to your branch office goes down nobody could issue or renew new certificates. Since CRL and AIA information is stored in your AD applications including smart card logon are not affected.
I would suggest to set the certificate life time to about 1 year. You can set the renewal interval to about 6-8 weeks before expiration. So 6-8 weeks before the user's certificate is going to expire Windows XP can auto-renew the smartcard logon certificate. A "balloon tip" will pop up which informs the user that his certificate has to be renewed. The user only has to provide the PIN code to access the smart card.
Mario
Thanks
Marco
"MarioC" wrote:
Hi there,
Since the CA is only used when issueing certificates it would not make any
sense to install a second one in the branch office. All required information
(CRL, AIA) can be found redundant in AD.
Installing ca CA on a DC is supported. Best practice would be to install the
CA on a dedicated (virtual?) secure machine.
Mario
"Marco Tonoli" <MarcoTonoli@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AB81E25F-7CE9-4692-AB3E-AE9F7F0F1554@xxxxxxxxxxxxxxxx
Hi all, i have a question:
i have a PKI infrastructure, with a offline root, an enterprise CA and a
domain controller. We use PKI for smart card, email signing and what
future
time will offer...
Now we start a branch office with many user so i make a new domain
controller (for same central domain) in the branch office for
autentication
speed and geographics redundance. The lan's have non egual ip addressment
but
one see each other. I'll correctly set "site and service" applet so pc
remote
will use remote DC.
My question is... i need also a second CA in the branch office ? if not i
can have speed problem ? (i don't kon how fast is connection, specifically
during working hour).
And, if i need a second CA, can install on DC ? (i think have not CPU
power
problem and no security access problem) and there same particolar
procedure
to avoid strange situation like pc autentication or PKI process on erratic
CA
and DC ?
Thanks all in advance (and excuse my english.... writing from italy.)
- References:
- Re: how many CA's (cross posted...)
- From: MarioC
- Re: how many CA's (cross posted...)
- From: Marco Tonoli
- Re: how many CA's (cross posted...)
- From: MarioC
- Re: how many CA's (cross posted...)
- Prev by Date: Re: how many CA's (cross posted...)
- Next by Date: Re: tracking admin commands
- Previous by thread: Re: how many CA's (cross posted...)
- Next by thread: Get FTP user name
- Index(es):
Relevant Pages
|
|
