|
Posted by eric.hall on March 12, 2007, 10:24 pm
Please log in for more thread options
I am currently planning a private CA rollout for my network. I have
been using a single openssl CA but I am looking to do a two-tier
model, so that the root CA only signs a couple of sub-CAs and a couple
of machines and users that are themselves in the root.
foo.com <--offline root, probably using openssl
--corp.foo.com <--2003 R2 certificate server for corp.foo.com AD
domain
--labs.foo.com <--openssl certificate server for linux/samba/* domain
The last time I did this I was using Windows Server 2000 and it wasn't
all that flexible (or I couldn't figure it out, which is entirely
possible). I've looked at Microsoft's "Best Practices" web pages for
2003 and it looks like it should work. I've also watched a couple of
web casts on the subject, and it also appears that this should work,
but all that material is pretty much designed for three-tier installs
that are all 100% MS certificate servers with everything in the AD
store. I'm not doing that, so... questions:
What kind of CA type should I specify for the 2003 R2 box? I want it
to be online, and I want to get the benefits of directory integrated
certificates, but I also want to be able to issue random certificates
for non-integrated users and devices and whatnot. This is probably the
most confusing part to me, and where I ran into trouble with Windows
2000 Server.
Can I use openssl CA for the off-line root? I know I can import the CA
and CRL, but there is a lot of talk about AD in the material, so I'm
worried about this. Will it work?
There are some pretty robust recommendations against running a CA on a
DC. However, given my current hardware restrictions, it seems like
this is going to be necessary in the short-term (another year or so).
The box is behind firewalls, only a couple of users will have access,
and it won't be the whole root CA, so I'm not too concerned about the
security issues. But will the management issues also apply (ie, can I
move the cert store around, demote the DC, and whatnot?)
Anythign else I should know?
Thanks for the info
|
| Similar Threads | Posted | | 2003/R2 certificate server questions | March 13, 2007, 10:27 am |
| Assign manage printer rights via group policy? (2003r2) | January 24, 2008, 4:44 am |
| Questions about the artical "DCOM Security Enhancements" for Windows Server 2003 SP1 | January 15, 2006, 9:47 pm |
| Problem when requesting a certificate to IIS server (certificate web enrollment) | October 4, 2005, 9:50 am |
| Wired 802.1x Questions | May 1, 2006, 3:30 pm |
| PKI revocation questions... | September 10, 2008, 9:18 am |
| Questions about CDP an AIA distribution points | July 11, 2006, 7:41 am |
| antivirus software questions | September 19, 2006, 2:25 pm |
| Active Directory Questions. | November 24, 2006, 12:09 am |
| Questions about using IPsec across domains | February 25, 2008, 5:47 pm |
|
XML Sitemap