Re: ADFS and Certificate Services

Ah, I see. I don't see any reason why you can't set up your own internal CA
that doesn't chain and use that as you see fit. I'm not at all an expert on
CA's and websites used to manage them, though. I'd ask in a different
group.

I don't see any reason why you couldn't use ADFS to secure such a site if
the site was Windows-based. ADFS even allows you to do client certificate
authentication if you wanted to use the certs you issue to authenticate,
although that gives you a chicken and egg problem.

I think the key for you is finding a CA product you like with an adequate
website interface. I'm sure the Windows CA has some sort of similar
capability, although I've never used it, so don't ask me. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"nboothe" <nboothe@xxxxxxxxx> wrote in message
news:1176906115.367007.75180@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
It sounds like I didn't explain situation well. We have no interest
in becoming a commercial CA. You are right, way to much
responsibility. We just want to be able to give out certs to our own
employees to avoid the fee per cert from Verisign. We want a Root CA
internal to our network for our company. We want to put a off line
sub-CA on the internet for employees to access remotely to get certs.
We want them to be able to have a seamless connection from the
internet to our sub-CA.

On Apr 17, 4:35 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
ADFS is not really related to becoming a certificate vendor. ADFS uses
certificates, but it won't help you with requesting or issuing certs.

Essentially, to become a certificates "reseller", you need a CA
certificate
that is signed by another CA that is chained to a publicly trusted root.
To
get such a CA certificate, you generally pay a fairly large amount of
money
(a few hundred K$, depending on the types of certificates you will be
issuing and other stuff) and you will need to adhere strictly to the
policies of your issuing CA or else they may revoke your certificate and
causing every certificate you issued to become invalid. It is a fairly
serious responsibility. If you talk with your cert vendor (Verisign),
I'm
sure they have some commercial offerings along these lines that they
could
tell you about.

I don't really see how ADFS would work into this unless you provided a
web-based UI for your CA and wanted to secure it using ADFS (which you
certainly could).

If you explain more, I might be able to provide more details. I also
suggest following up in one of the crypto newsgroups if you want to talk
to
others who are more experienced with setting up a commercial CA.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--"nboothe" <nboo...@xxxxxxxxx> wrote in message

news:1176836055.067116.280730@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I posted a few weeks ago about the basics of ADFS and Joe was gracious
enough to help me. I've made some progress, but am beginning to think
my concept might not even be possible and I'm hoping someone can
advise.

My company wants to implement single sign on, but more importantly we
want to become our own certificate authority, using a Microsoft CA,
for our internal and external users to get S-MIME certs for encrypted
email. We currently pay verisign a yearly fee for every employee to
communicate with encrypted email. We want the CA to be available for
others to download the public keys so customers can communicate
securely. You might ask how does this relate to ADFS? Well, we want
to allow access to external employees to login to the CA to get an
updated cert if needed and provide access to other HR apps in the
process.

Is ADFS the solution for this concept? Is there a better way to
implement this concept? If there is a better group for this
question, let me know.

Thanks!




.

Relevant Pages

  • Re: ADFS and Certificate Services
    ... sub-CA on the internet for employees to access remotely to get certs. ... Essentially, to become a certificates "reseller", you need a CA certificate ...
    (microsoft.public.windows.server.active_directory)
  • Re: Beating Up On Microsoft...
    ... > While everyone is busy beating up on Microsoft... ... > It might be a good idea to look at the Internet as a whole. ... > Verifiable Certificate to properly identify the owner. ... > of Authentication, Encryption, etc. to protect the communication. ...
    (microsoft.public.security)
  • Re: What are the differences between the certificates *.pfx *.p12 *.cer *.crt *.spc *.p7b ??
    ... To find the latest possible Internet drafts, ... Personal Information Exchange Syntax Standard, ... 2560 X.509 Internet Public Key Infrastructure Online Certificate ...
    (comp.security.misc)
  • Re: Outlook RPC over HTTp deosnt work
    ... If the certificate is not trusted, ... when you try to use RPC over HTTP to connect the Exchange Server. ... we don't have to manually configure RPC over HTTP. ... Make sure you have enabled "Outlook over the Internet" and "Remote Web ...
    (microsoft.public.windows.server.sbs)
  • Re: Update Failure 0x800A138F and 0x800C0008 in Log
    ... Verify that the Internet Zone is selected ... Now click on the Content tab and click ... > 6) Check for a certificate called "Microsoft Root Authority". ... > On the DNS Server, create the DNS Forwarder to forward the external DNS ...
    (microsoft.public.windows.server.sbs)