Re: 2003/R2 certificate server questions

Inline

In article <1173800685.119611.123960
@t69g2000cwt.googlegroups.com>, eric.hall@xxxxxxxxx
says...
On Mar 13, 11:17 am, Brian Komar [MVP] <bko...@xxxxxxxxxxxxxxxxx>
wrote:

In article <1173796055.831288.221690
@t69g2000cwt.googlegroups.com>, eric.h...@xxxxxxxxx
says...

foo.com <--offline root, probably using openssl
--corp.foo.com <--2003 R2 certificate server for corp.foo.com AD
domain
--labs.foo.com <--openssl certificate server for linux/samba/* domain

Should work. But, you could service the requests from
the Win2k3 CA.

I don't understand the second half of your response


You really do not need an additional subordinate CA
running OPenSSL to service requests from Linux/samba
clients

What kind of CA type should I specify for the 2003 R2 box? I want it
to be online, and I want to get the benefits of directory integrated
certificates, but I also want to be able to issue random certificates
for non-integrated users and devices and whatnot. This is probably the
most confusing part to me, and where I ran into trouble with Windows
2000 Server.

Make sure you are running on Enterprise Edition, and use
an enterprise subordinate CA to meet your goals.

That will also let me manually create/sign certificates for use in
things like switches and whatnot? With W2k EE, it seemed to just do
automatic certs for users and machines, so this is my main point of
concern.

Automatic certs, Key archival and recovery, customizable
certificate templates. Lots.


There are some pretty robust recommendations against running a CA on a
DC. However, given my current hardware restrictions, it seems like
this is going to be necessary in the short-term (another year or so).

Rethink this one. If you put it on a DC, you cannot move
it. This is the biggest issue in your design. Your only
choice is to basically remove the DC and keep it as a
CA. You cannot rename the CA netBIOS name nor change its
domain membership.

Is this a feature of the "enterprise" CA, or is this a feature of all
the CA types in 2003? openssl does not bind the CA to the machine
identity but I can see why it would be useful and appropriate for AD
integrated certs in particular.

This is a Microsoft CA thing.

I can also uninstall the sub CA, revoke the cert, and reissue new
certs if I move the sub CA later, right? I mean, creating an
"enterprise" sub-CA doesn't permanently alter the directory does it?

You can definitely do this but high TCO
.

Relevant Pages

  • Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... we will need to have trust ... As far as standard versus enterprise, ... If the root CA is compromised your whole PKI ... > your certificates then it would make sense to use your own CA. ...
    (microsoft.public.windows.server.security)
  • Re: client user certificates
    ... in certificates using Windows Server 2003 Enterprise Edition Enterprise CAs ... but it would be nice if there was a way to autoenroll the user. ... We have a Windows Server 2003 domain environment with a Enterprise ...
    (microsoft.public.windows.server.active_directory)
  • RE: CA Client Certificates only expire in one years time
    ... If this was installed as an Enterprise CA this is normal. ... which in v1 templates cannot be modified. ... "For certificates that are issued by Enterprise CAs, the validity period is ...
    (microsoft.public.windows.server.general)
  • EFS certificate renewal
    ... We use EFS in our organization and have a Windows 2003 Enterprise CA ... If the computer is not connected when the renewal period is first ... If the first renewal request is not successful because the Enterprise CA ... certificates, ...
    (microsoft.public.windows.server.security)
  • EFS certificate renewal
    ... We use EFS in our organization and have a Windows 2003 Enterprise CA ... If the computer is not connected when the renewal period is first ... If the first renewal request is not successful because the Enterprise CA ... certificates, ...
    (microsoft.public.win2000.security)