|
Posted by BZP on December 10, 2007, 12:29 pm
Please log in for more thread options
Hello,
First, sorry for my poor english, French NG doesn't answer for my
topic.
I explain my need.
I have an AD forest which looks like this :
A root domain (technical domain, no user account) called ROOT.LOCAL.
I have two domain trees ASIA.LOCAL and AMERICAS.LOCAL.
There are 4 sub-domains called JAPAN.ASIA.LOCAL, CHINA.ASIA.LOCAL (for
ASIA tree) and PERU.AMERICAS.LOCAL and MEXICO.AMERICAS.LOCAL (for
AMERICAS tree).
AD site configuration match name locations.
I want to implemant CA hierarchy like that :
One offline ROOT CA, 2 offline policy CA (one for each location, ASIA
& AMERICAS) and one issuing CA for each domain tree.
1. I want to know how can I be sure that users in ASIA tree will never
ask certificate on CA of AMERICAS tree ? Is it possible ? In technet,
it is specified that CA services (as a forest service) don't use site
informations.
I have several questions too.
(I numbered for easy answers.)
2. Is there one CRL distribution point for a CA or for a CA
hierarchy ?
3. When a client have to check certificate chain, does it established
a network connection with each CA ? Just one ? Any ?
4. Whan I add a CRL distribution point, I have to renew older
certificates ? If I don't, does older certificates still valid ?
I have some difficulties to identify what are the logical and physical
componments in PKI...
Thanks for your help.
Regards,
--
P.J.A.
| 
XML Sitemap