|
Posted by Brian Komar [MVP] on March 13, 2007, 11:17 am
Please log in for more thread options
Short answers for now.. longer to follow later today
In article <1173796055.831288.221690
@t69g2000cwt.googlegroups.com>, eric.hall@gmail.com
says...
> [google groups is having posting problems; apologies for any dupes]
>
> I am currently planning a private CA rollout for my network. I have
> been using a single openssl CA but I am looking to do a two-tier
> model, so that the root CA only signs a couple of sub-CAs and a couple
> of machines and users that are themselves in the root.
>
> foo.com <--offline root, probably using openssl
> --corp.foo.com <--2003 R2 certificate server for corp.foo.com AD
> domain
> --labs.foo.com <--openssl certificate server for linux/samba/* domain
Should work. But, you could service the requests from
the Win2k3 CA. But, it is valid
>
> The last time I did this I was using Windows Server 2000 and it wasn't
> all that flexible (or I couldn't figure it out, which is entirely
> possible). I've looked at Microsoft's "Best Practices" web pages for
> 2003 and it looks like it should work. I've also watched a couple of
> web casts on the subject, and it also appears that this should work,
> but all that material is pretty much designed for three-tier installs
> that are all 100% MS certificate servers with everything in the AD
> store. I'm not doing that, so... questions:
>
> What kind of CA type should I specify for the 2003 R2 box? I want it
> to be online, and I want to get the benefits of directory integrated
> certificates, but I also want to be able to issue random certificates
> for non-integrated users and devices and whatnot. This is probably the
> most confusing part to me, and where I ran into trouble with Windows
> 2000 Server.
Make sure you are running on Enterprise Edition, and use
an enterprise subordinate CA to meet your goals.
>
> Can I use openssl CA for the off-line root? I know I can import the CA
> and CRL, but there is a lot of talk about AD in the material, so I'm
> worried about this. Will it work?
Yes, You just need to make sure that you correctly
configure URLs for the CDP and AIA extension of the root
cert (if any included) and for the issued sub CA
certificates. Also ensure that the information is
maintained and up-to-date at the URLs.
>
> There are some pretty robust recommendations against running a CA on a
> DC. However, given my current hardware restrictions, it seems like
> this is going to be necessary in the short-term (another year or so).
> The box is behind firewalls, only a couple of users will have access,
> and it won't be the whole root CA, so I'm not too concerned about the
> security issues. But will the management issues also apply (ie, can I
> move the cert store around, demote the DC, and whatnot?)
>
Rethink this one. If you put it on a DC, you cannot move
it. This is the biggest issue in your design. Your only
choice is to basically remove the DC and keep it as a
CA. You cannot rename the CA netBIOS name nor change its
domain membership.
> Anythign else I should know?
>
> Thanks for the info
>
>
| 
XML Sitemap