Re: PKI in multi sites/domains environment
- From: "Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx>
- Date: Mon, 10 Dec 2007 17:59:05 -0600
Some thoughts inline...
"BZP" <p.audonnet@xxxxxxxxx> wrote in message news:5e3536b2-1964-45ce-bf84-022e2bbbf2b8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,A couple ways of doing this. In the CA Properties, change the default permissions from Authenticated Users to a Domain\Domain Users for the Request Certificates permission.
First, sorry for my poor english, French NG doesn't answer for my
topic.
I explain my need.
I have an AD forest which looks like this :
A root domain (technical domain, no user account) called ROOT.LOCAL.
I have two domain trees ASIA.LOCAL and AMERICAS.LOCAL.
There are 4 sub-domains called JAPAN.ASIA.LOCAL, CHINA.ASIA.LOCAL (for
ASIA tree) and PERU.AMERICAS.LOCAL and MEXICO.AMERICAS.LOCAL (for
AMERICAS tree).
AD site configuration match name locations.
I want to implemant CA hierarchy like that :
One offline ROOT CA, 2 offline policy CA (one for each location, ASIA
& AMERICAS) and one issuing CA for each domain tree.
1. I want to know how can I be sure that users in ASIA tree will never
ask certificate on CA of AMERICAS tree ? Is it possible ? In technet,
it is specified that CA services (as a forest service) don't use site
informations.
I have several questions too.
(I numbered for easy answers.)
The other way is to create custom certificate templates that limit enrollment to a subset of the users (America users), and only publish the America servers at the Americas CAs.
2. Is there one CRL distribution point for a CA or for a CA
hierarchy ?
At each CA, you can define multiple URLs in the CDP for the CA.
- In AD, although similar, each CA has a unique URL in the configuration naming context
- For HTTP URLs, even if the CRLs are all published to the same virtual directory, again, they will have unique URLs based on the CA DNS name and logical name.
3. When a client have to check certificate chain, does it established
a network connection with each CA ? Just one ? Any ?
It depends. The client will first look in the cache for a time valid version of a CA certificate or CRL. If not available, then it will look at the CDP URLs, in the order they are contained in the CDP extension. This is repeated for every certificate. It is possible that a connection may be established to the CA, but if the default URLs are used, this would only occur if the CRL or CA certificate was not available in Active Directory.
4. Whan I add a CRL distribution point, I have to renew older
certificates ? If I don't, does older certificates still valid ?
You really should set all CDP and AIA URLs *before* you start issuing certificates. An older certificate is still valid only if the previous URLs are still valid. If they are totally replaced, then you must re-issue the certificates.
I have some difficulties to identify what are the logical and physical
componments in PKI...
Not sure what you are asking here. Look at the best practices white paper at www.microsoft.com/pki
Thanks for your help.:D
Regards,
--
P.J.A.
.
- Follow-Ups:
- References:
- PKI in multi sites/domains environment
- From: BZP
- PKI in multi sites/domains environment
- Prev by Date: Re: Printing security problem
- Next by Date: Re: IISADMPWD solution for AD expired password ?
- Previous by thread: PKI in multi sites/domains environment
- Next by thread: Re: PKI in multi sites/domains environment
- Index(es):
Relevant Pages
|
|
