Question regarding PKI architecture with cross domain trusts.

---

• From: Enrico <nricko@xxxxxxxxx>
• Date: Mon, 17 Sep 2007 11:48:36 -0700

---

Hello all,

I have the following PKI architecture implemented in a dev environment

1 Offlice Root CA
Root CA Certificate Properties:
CDP: ldap location on both DomainA and DomainB
AIA: ldap location on both DomainA and DomainB

2 Online Enterprise Issuing CAs
1 in DomainA
1 in DomainB

There is also a cross-domain trust established between DomainA and
DomainB.
-------------------------------------------------

As of now there seems to be no issue with certificate communication
between a server on DomainA and a server on DomainB, but I am unsure
as to how this communication would be affected when I introduce a new
domain (DomainC) to the mix.

To add a new domain to this architecture I would do the following:
1. Bring the root CA online.
2. Update the CDP and AIA points to include the ldap location of
DomainC.
3. Publish that certificate to the new domain and create an issuing CA
on that domain, similar as I did for DomainA and DomainB.
4. Establish a cross domain trust with Domain A and DomainC.

Questions
----------------
1. Is the certificate communication between DomainA and DomainB
servers dependent on the CDP and AIA lists or just the fact that they
trust the Root Certificate signature?
2. Since the CDP and AIA points will change in the Root CA
certificate, will DomainA and DomainC have a certificate communiation
issues since the updated Root CA certifcate will be contained in
DomainC, but not in DomainA (essentially uses certificate without
updated CDP and AIA extensions)?
3. As a side note, does disabling the certifcate revocation checks
affect the validity of a certifcate?

Thank you

.

---

• Follow-Ups:
  • Re: Question regarding PKI architecture with cross domain trusts.
    • From: Brian Komar

• Prev by Date: Re: Group permission AD advice needed.
• Next by Date: Re: Question regarding PKI architecture with cross domain trusts.
• Previous by thread: Autoenrollment Fails
• Next by thread: Re: Question regarding PKI architecture with cross domain trusts.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Question regarding PKI architecture with cross domain trusts. ... ldap location on both DomainA and DomainB ... The reason is how the certificate validation engine works. ... I would recommend having an HTTP URL first followed ... (microsoft.public.windows.server.security) Re: Question regarding PKI architecture with cross domain trusts. ... Root CA Certificate Properties: ... ldap location on both DomainA and DomainB ... The reason is how the certificate validation engine works. ... (microsoft.public.windows.server.security) Re: Question regarding PKI architecture with cross domain trusts. ... ldap location on both DomainA and DomainB ... In your environment, I would only use HTTP locations for the CDP and AIA, ... The reason is how the certificate validation engine works. ... (microsoft.public.windows.server.security) Re: Authentication accross child domains ... I would say yes we are using the transitive trust mechanism. ... DomainA computers "are" allowed to talk to DomainB DC's, ... > the client would try and talk to the root in this scenario. ... >> child domains connected to the root as separate trees. ... (microsoft.public.windows.server.active_directory) Re: Authentication accross child domains ... > client, since the _msdcs zone is in the root I would expect that behavior, ... >> mechanism to authenticate the domainb client (using domaina computer) to ... >> the client would try and talk to the root in this scenario. ... >>> child domains connected to the root as separate trees. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)