RE: PKI V2 Certificates OS level

Hi Scott,

In order to issue v2 certificate templates (which are actually v3
certificates) you must publish the templates on a 2003 Enterprise Edition
CA. Generally speaking you would use a Stand-Alone Root CA running Windows
Server 2003 Standard edition as an offline root and have enterprise
subordinate CAs running Windows Server 2003 Enterprise Edition for
certificate issuance.

The root ca is in no way used to issue a certificate on the subordinate ca.
The only time the root ca is used is for issuing certificates to new
subordinate ca's, renewing subordinate ca certificates and publishing CRL's.


Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: PKI V2 Certificates OS level
thread-index: AcdQk9EyMMkdya3JQI2Q8lyYaXsbXg==
X-WBNR-Posting-Host: 66.212.115.49
From: =?Utf-8?B?U0I=?= <SB@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: PKI V2 Certificates OS level
Date: Wed, 14 Feb 2007 15:57:00 -0800

Hi folks,

I am currently working with a Certificates setup in my lab to become more
familiar with Certificates and PKI V2 Certificates. I have setup a
Windows
2k3 R2 Enterprise server with a Enterprise Root CA and have also setup a
few
subordinate CAs on Windows 2k3 R2 Standard server. From everything I have
read, I know I have to have the Enterprise Root CA on an Enterprise 2k3
OS.
The question is will the subordinate CA's issue a PKI v2 certificate
request
in this fasion? In otherwords if my logic is right, the Subordinate CA
would
process the request sending it back to the Enterprise CA for processing
which
would then process and return it back through the Subordinate CA and back
out
to the requesting party. Does this sound right? Will this senario work?
I
would like to protect the Enterprise CA in this fasion letting the
subordinate CA's do the actual interaction for requests. I've read the
best
practices guide for setting up PKI v2 certificates but it still seems
vague
to me in what it is saying. Hense the testing I am going through above.

Thanks,

Scott


.

Relevant Pages

  • Re: Standalone/ Enterprise CA issue
    ... > Subordinate Enterprise CA, running on AD ... > with standalone as Root, while Subordinate with Enterprise CA? ... Autorenew and autoenroll which certificates? ...
    (microsoft.public.security)
  • Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... If the root CA is compromised your whole PKI is ... your certificates then it would make sense to use your own CA. ... > enterprise level certification authority. ... > and 1 or more subordinate CAs. ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise root CA not re-trusted after manually deleted
    ... published) autoenrollment queries AD for CA certs and installs them. ... CA certs in AD). ... deleted root certs can automatically return or need a manual repair. ... If root CA certificates are distributed using autonenrollment (meaning ...
    (microsoft.public.windows.server.security)
  • Re: Need advice for CA Model
    ... > The root CA must be trusted on all the clients that will enroll to the ... > certificates, each certificate must correspond to a user in AD with a UPN ... The enterprise CA automatically creates ... The second CA was a standalone ...
    (microsoft.public.win2000.security)
  • Re: Certificate issue on Exchange ActiveSync setup (WM6) - UPDATE
    ... In the Certificates snap-in box it is very important you choose "Computer ... Finish out of the standalone boxes and view the Console Root window. ... should now see a Console Root folder, with a Certificates folder under it, ...
    (microsoft.public.pocketpc.activesync)