Convert Enterprise Root CA to Standalone CA and moving to Multiple Subordinate CA structure
- From: Chris Morley <morleyc@xxxxxxxxx>
- Date: Tue, 18 Mar 2008 05:22:42 -0700 (PDT)
Hi, my existing setup is/was simple. Had a single site active
directory for 30 users and an exchange server.
All computer workstation identification certs were pushed out via
autoenrollment and as such they trust the root CA which was the one to
issue the certificates.
As i will now have a number of sites i think it would be prudent to
have subordinate CAs at each remote location to issue certificates
there.
My question is, how would this affect the current computers having the
existing CA where it is directly issued from the enterprise root,
compared to other computers who were issued via the subordinate CA
when i get them running? Im guessing not much, since all computers
will trust the root anyway through thet certificate tree? Only down
side is if the root got comprimised in this scenario since they would
still trust it.
To aid my understanding, do enterprise root CA issue certificates to
workstations by default? Im guessing not, since i had to create a
workstation identification template.
How could i ensure in future that the root CA only issues certificates
for other subordinate CA's and NOT workstations? Would this be through
the certificate management mmc console? Is this controlled by active
directory GPO or some other setting?
Finally, given the site links are expanding, Is it possible to move my
existing enterprise root CA to a standalone root CA, and then create
multiple subordinate CAs to issue certs on the clients behalf? This
would be the ideal setup as a managed upgrading process.
Many thanks in advance,
Chris
.
- Prev by Date: Re: Export Policies from GPO to Security Template
- Next by Date: Re: Errors when opening sites and services console
- Previous by thread: Export Policies from GPO to Security Template
- Next by thread: Re: List all users with 'Password Never Expires'
- Index(es):
Relevant Pages
|
