Re: ADFS and Certificate Services
- From: nboothe <nboothe@xxxxxxxxx>
- Date: 18 Apr 2007 07:21:55 -0700
It sounds like I didn't explain situation well. We have no interest
in becoming a commercial CA. You are right, way to much
responsibility. We just want to be able to give out certs to our own
employees to avoid the fee per cert from Verisign. We want a Root CA
internal to our network for our company. We want to put a off line
sub-CA on the internet for employees to access remotely to get certs.
We want them to be able to have a seamless connection from the
internet to our sub-CA.
On Apr 17, 4:35 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
ADFS is not really related to becoming a certificate vendor. ADFS uses
certificates, but it won't help you with requesting or issuing certs.
Essentially, to become a certificates "reseller", you need a CA certificate
that is signed by another CA that is chained to a publicly trusted root. To
get such a CA certificate, you generally pay a fairly large amount of money
(a few hundred K$, depending on the types of certificates you will be
issuing and other stuff) and you will need to adhere strictly to the
policies of your issuing CA or else they may revoke your certificate and
causing every certificate you issued to become invalid. It is a fairly
serious responsibility. If you talk with your cert vendor (Verisign), I'm
sure they have some commercial offerings along these lines that they could
tell you about.
I don't really see how ADFS would work into this unless you provided a
web-based UI for your CA and wanted to secure it using ADFS (which you
certainly could).
If you explain more, I might be able to provide more details. I also
suggest following up in one of the crypto newsgroups if you want to talk to
others who are more experienced with setting up a commercial CA.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"nboothe" <nboo...@xxxxxxxxx> wrote in message
news:1176836055.067116.280730@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I posted a few weeks ago about the basics of ADFS and Joe was gracious
enough to help me. I've made some progress, but am beginning to think
my concept might not even be possible and I'm hoping someone can
advise.
My company wants to implement single sign on, but more importantly we
want to become our own certificate authority, using a Microsoft CA,
for our internal and external users to get S-MIME certs for encrypted
email. We currently pay verisign a yearly fee for every employee to
communicate with encrypted email. We want the CA to be available for
others to download the public keys so customers can communicate
securely. You might ask how does this relate to ADFS? Well, we want
to allow access to external employees to login to the CA to get an
updated cert if needed and provide access to other HR apps in the
process.
Is ADFS the solution for this concept? Is there a better way to
implement this concept? If there is a better group for this
question, let me know.
Thanks!
.
- Follow-Ups:
- Re: ADFS and Certificate Services
- From: Joe Kaplan
- Re: ADFS and Certificate Services
- References:
- ADFS and Certificate Services
- From: nboothe
- Re: ADFS and Certificate Services
- From: Joe Kaplan
- ADFS and Certificate Services
- Prev by Date: Re: AD site and services - How do I speed up replication time?
- Next by Date: Re: Grant a domain user read-only access to AD 2003
- Previous by thread: Re: ADFS and Certificate Services
- Next by thread: Re: ADFS and Certificate Services
- Index(es):
Relevant Pages
|
