PKI in multi sites/domains environment
- From: BZP <p.audonnet@xxxxxxxxx>
- Date: Mon, 10 Dec 2007 09:29:14 -0800 (PST)
Hello,
First, sorry for my poor english, French NG doesn't answer for my
topic.
I explain my need.
I have an AD forest which looks like this :
A root domain (technical domain, no user account) called ROOT.LOCAL.
I have two domain trees ASIA.LOCAL and AMERICAS.LOCAL.
There are 4 sub-domains called JAPAN.ASIA.LOCAL, CHINA.ASIA.LOCAL (for
ASIA tree) and PERU.AMERICAS.LOCAL and MEXICO.AMERICAS.LOCAL (for
AMERICAS tree).
AD site configuration match name locations.
I want to implemant CA hierarchy like that :
One offline ROOT CA, 2 offline policy CA (one for each location, ASIA
& AMERICAS) and one issuing CA for each domain tree.
1. I want to know how can I be sure that users in ASIA tree will never
ask certificate on CA of AMERICAS tree ? Is it possible ? In technet,
it is specified that CA services (as a forest service) don't use site
informations.
I have several questions too.
(I numbered for easy answers.)
2. Is there one CRL distribution point for a CA or for a CA
hierarchy ?
3. When a client have to check certificate chain, does it established
a network connection with each CA ? Just one ? Any ?
4. Whan I add a CRL distribution point, I have to renew older
certificates ? If I don't, does older certificates still valid ?
I have some difficulties to identify what are the logical and physical
componments in PKI...
Thanks for your help.
Regards,
--
P.J.A.
.
- Follow-Ups:
- Re: PKI in multi sites/domains environment
- From: Brian Komar
- Re: PKI in multi sites/domains environment
- Prev by Date: MSMQ 2003 Security Problem
- Next by Date: Re: Printing security problem
- Previous by thread: MSMQ 2003 Security Problem
- Next by thread: Re: PKI in multi sites/domains environment
- Index(es):
Relevant Pages
|
