|
Posted by Brian Komar [MVP] on March 13, 2007, 9:24 pm
Please log in for more thread options
Inline
In article <1173817783.817437.149340
@n59g2000hsh.googlegroups.com>, eric.hall@gmail.com
says...
>
> wrote:
>
> > You really do not need an additional subordinate CA
> > running OPenSSL to service requests from Linux/samba
> > clients
>
> The business groups are managed separately. But it's nice to know--I
> did not think it was possible to run multiple cert authorities in the
> same machine with Windows Cert Services, since there is only a one-
> time setup.
>
You cannot install two instances (unless using
virtualization and running two separate boxes
virtually).
What I am saying is there is no need to create a
separate CA for the Linux/samba domain. You can delegate
certificate management at the CA if you require the
separation. For example, you can set up a certificate
manager restriction that Bob can only manage
certificates issued to domain1\domain users and Alice
can only manage certificate to domain2\domain users.
> > > That will also let me manually create/sign certificates for use in
> > > things like switches and whatnot? With W2k EE, it seemed to just do
> > > automatic certs for users and machines, so this is my main point of
> > > concern.
> >
> > Automatic certs, Key archival and recovery, customizable
> > certificate templates. Lots.
>
> Okay great. I guess all this stuff is in the templates, which is what
> choked me before. I'll go find the docs for this.
LOL. I wrote the whitepaper. It is posted at
www.microsoft.com/pki. Also, I have a book on PKI you
may find useful
(http://www.microsoft.com/MSPress/books/6745.aspx)
>
> > > I can also uninstall the sub CA, revoke the cert, and reissue new
> > > certs if I move the sub CA later, right? I mean, creating an
> > > "enterprise" sub-CA doesn't permanently alter the directory does it?
> >
> > You can definitely do this but high TCO
>
> Not a major concern in this case, since there are very few nodes and
> users in that organization.
Cool
>
> Thanks for the answers!
>
>
| 
XML Sitemap