|
Posted by Brian Komar on September 17, 2007, 6:27 pm
Please log in for more thread options Not necessarily. The certificates are working, but you will potentially run
into some performance issues.
As long as you do not revoke the certificates they will continue to work.
Brian
> wrote:
>> A couple of thoughts inline:
>> Brian
>>
>>
>>
>> > Hello all,
>>
>> > I have the following PKI architecture implemented in a dev environment
>>
>> > 1 Offlice Root CA
>> > Root CA Certificate Properties:
>> > CDP: ldap location on both DomainA and DomainB
>> > AIA: ldap location on both DomainA and DomainB
>>
>> In your environment, I would only use HTTP locations for the CDP and AIA,
>> rather than LDAP. The reason is how the certificate validation engine
>> works.
>> For the users in the domain that is first in the list of LDAP URLs,
>> everything is great. Fast responses to CRL validation downloads. For the
>> other users.... well..... they....... have ....... to .........
>> wait......... for the first .............. LDAP URL ....... to fail
>> If you had a third domain to the mix, there is going to be a case where
>> they
>> now have to fail again.
>>
>>
>>
>> > 2 Online Enterprise Issuing CAs
>> > 1 in DomainA
>> > 1 in DomainB
>>
>> This is good. In fact, I would recommend having an HTTP URL first
>> followed
>> by an LDAP URL only containing the local domain's LDAP URLs.
>>
>>
>>
>> > There is also a cross-domain trust established between DomainA and
>> > DomainB.
>> > -------------------------------------------------
>>
>> > As of now there seems to be no issue with certificate communication
>> > between a server on DomainA and a server on DomainB, but I am unsure
>> > as to how this communication would be affected when I introduce a new
>> > domain (DomainC) to the mix.
>>
>> > To add a new domain to this architecture I would do the following:
>> > 1. Bring the root CA online.
>> > 2. Update the CDP and AIA points to include the ldap location of
>> > DomainC.
>>
>> I would update to only use HTTP URLs. In any kind of cross forest
>> environment, I would only use HTTP URLs. Alternatively, you could
>> introduce
>> an ADAM server or other LDAP server, and use LDAP.
>>
>> > 3. Publish that certificate to the new domain and create an issuing CA
>> > on that domain, similar as I did for DomainA and DomainB.
>>
>> Yep
>>
>> > 4. Establish a cross domain trust with Domain A and DomainC.
>>
>> 5. Re-new the DomainA and DomainB subCA certificates so that they only
>> contain the HTTP URL in the SubCA certificate
>>
>> > Questions
>> > ----------------
>> > 1. Is the certificate communication between DomainA and DomainB
>> > servers dependent on the CDP and AIA lists or just the fact that they
>> > trust the Root Certificate signature?
>>
>> Both. They must trust the root signature, but they also will need to
>> download the CRL and CA certificate during chain validation.
>>
>> > 2. Since the CDP and AIA points will change in the Root CA
>> > certificate, will DomainA and DomainC have a certificate communiation
>> > issues since the updated Root CA certifcate will be contained in
>> > DomainC, but not in DomainA (essentially uses certificate without
>> > updated CDP and AIA extensions)?
>>
>> There will not really be any issues, but I would recommend changing to
>> just
>> an HTTP URL and renewing the DomainA and DomainB certificates.
>>
>> > 3. As a side note, does disabling the certifcate revocation checks
>> > affect the validity of a certifcate?
>>
>> No. But if you are disabling revocation checks, you have real problems
>> with
>> your PKI and need to fix it. If you are not determining if a certificate
>> is
>> revoked, what use are the certificates...
>>
>>
>>
>>
>>
>> > Thank you- Hide quoted text -
>>
>> - Show quoted text -
>
> Brian,
>
> Thanks for the input.
>
> If I choose to renew my Issuing CA certificates on DomainA and
> DomainB, then I would have to recreate all the server certificates
> that were assigned to the servers in in Domain A and B correct?
>
> I am just trying to get an idea of what sort of impact this change
> would pose on the infrastructure that is currently in place.
>
> Thanks again
>
| 
XML Sitemap