Re: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
- From: "Brian Komar \(MVP\)" <brian.komar.nospam@xxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Mar 2008 05:48:44 -0500
This is basic PKI. Trust is established at the root.
If the CA is a subordinate of a trusted root, you trust the CA.
I would recommend reading Polk and Housley
Brian
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.d2a87d837c712979.70874@xxxxxxxxxxxxxxxxxxxxx
Hi,
we are planning to deploy a certificate hierarchy.
First, we will have a Root CA (standalone Offline) and a subordinate CA (enterprise online integrated to AD).
My question is which certificate should I have to deploy to my computer Trusted Root Certification Authorities Store ? The Root CA or the Subordinate CA ?
I have read in Microsoft website that it should be the Root CA certificate (and not the Subordinate CA) but I dont understand why !
Indeed, imagine that in the future we decide to install a new subordinate Enterprise CA (child of the Root CA, so a brother of the first subordinate CA) for a new acquired company;
If we have installed the Root CA in our domain member computers, then they will trust every certificate delivered by the new subordinate Enterprise CA, am I right ?
This is not very nice as the new sub enterprise CA is not defined to trust computers for the "whole company" but just for the newly acquired company.
Please could you tell me what do you think about that ?
Thanks
--
Pascal
.
- Follow-Ups:
- References:
- Prev by Date: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
- Next by Date: Re: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
- Previous by thread: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
- Next by thread: Re: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
- Index(es):
Relevant Pages
|
