|
Posted by Brian Komar [MVP] on February 17, 2007, 1:54 pm
Please log in for more thread options
This would be the way to do it. What risk are you trying to mitigate
though? Is your CA deployed in a manner that it is exposed to the
Internet? Are you exposing your AD to the Internet for CRL retrieval?
Why not just use an HTTP URL if this is your concern?
Brian
david.wozny@gmail.com says...
> Hi,
> I'm deploying an enterprise root CA and want to re-confgure the LDAP
> CDP container to not expose the CA's hostname, i.e. I replace the %%2
> parameter with the %%7 parameter in the script used to reconfigure the
> CA, so that the "CDP container name" is the same as the CA name.
> However, I have observed problems with this:
>
> A) I cannot control the default CDP the CA uses during installation,
> therefore I automatically get a CDP container which reflects the CA
> hostname.
>
> B) If I do the reconfigure script immediately after deployment, the CA
> cannot publish to the "%%7" container 'cus it doesn't exist.
>
> I'm currently getting around these problems by doing the following:
> 1. Manually create the required CDP container before I do the CA
> install, I use a certutil -dspublish to do this with a "fake CRL",
> then throw away the CRL which is published
>
> 2. I install the CA and then run the reconfigure script and publish a
> fresh CRL
>
> 3. I then have to delete the default "%%2" container and CRL which is
> created by the CA install routine.
>
> I'm not saying this is particularly hard, but in the context of a CA
> ceremony it is not very elegant. Am I missing something, is there an
> easier way to do this?
>
> Hopefully, Chipeater
>
>
| 
XML Sitemap