Click here to get back home

how many CA's (cross posted...)
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
how many CA's (cross posted...) Marco Tonoli 10-24-2006
Get Chitika Premium
Posted by Marco Tonoli on October 24, 2006, 12:23 pm
Please log in for more thread options
 Hi all, i have a question:

i have a PKI infrastructure, with a offline root, an enterprise CA and a
domain controller. We use PKI for smart card, email signing and what future
time will offer...
Now we start a branch office with many user so i make a new domain
controller (for same central domain) in the branch office for autentication
speed and geographics redundance. The lan's have non egual ip addressment but
one see each other. I'll correctly set "site and service" applet so pc remote
will use remote DC.
My question is... i need also a second CA in the branch office ? if not i
can have speed problem ? (i don't kon how fast is connection, specifically
during working hour).

And, if i need a second CA, can install on DC ? (i think have not CPU power
problem and no security access problem) and there same particolar procedure
to avoid strange situation like pc autentication or PKI process on erratic CA
and DC ?

Thanks all in advance (and excuse my english.... writing from italy.)


Posted by MarioC on October 24, 2006, 3:23 pm
Please log in for more thread options
 Hi there,

Since the CA is only used when issueing certificates it would not make any
sense to install a second one in the branch office. All required information
(CRL, AIA) can be found redundant in AD.

Installing ca CA on a DC is supported. Best practice would be to install the
CA on a dedicated (virtual?) secure machine.

Mario




> Hi all, i have a question:
>
> i have a PKI infrastructure, with a offline root, an enterprise CA and a
> domain controller. We use PKI for smart card, email signing and what
> future
> time will offer...
> Now we start a branch office with many user so i make a new domain
> controller (for same central domain) in the branch office for
> autentication
> speed and geographics redundance. The lan's have non egual ip addressment
> but
> one see each other. I'll correctly set "site and service" applet so pc
> remote
> will use remote DC.
> My question is... i need also a second CA in the branch office ? if not i
> can have speed problem ? (i don't kon how fast is connection, specifically
> during working hour).
>
> And, if i need a second CA, can install on DC ? (i think have not CPU
> power
> problem and no security access problem) and there same particolar
> procedure
> to avoid strange situation like pc autentication or PKI process on erratic
> CA
> and DC ?
>
> Thanks all in advance (and excuse my english.... writing from italy.)
>



Posted by Marco Tonoli on October 25, 2006, 4:06 am
Please log in for more thread options
ok, so i issue a certificate from central, then crl and aia will found
locally trough the local DC because i correctly set "site and service"
applet. correct ?

Perfect.

If there is a problem on the line to-from branch office... wht typi of
result i can have ? I thnk only problem if i need to rennovate a certificate,
so think is better to issue certificate with duration long, something like 30
gg and hope 30th day line is ok. Correct ?

Thanks

Marco


"MarioC" wrote:

> Hi there,
>
> Since the CA is only used when issueing certificates it would not make any
> sense to install a second one in the branch office. All required information
> (CRL, AIA) can be found redundant in AD.
>
> Installing ca CA on a DC is supported. Best practice would be to install the
> CA on a dedicated (virtual?) secure machine.
>
> Mario
>
>
>
>
> > Hi all, i have a question:
> >
> > i have a PKI infrastructure, with a offline root, an enterprise CA and a
> > domain controller. We use PKI for smart card, email signing and what
> > future
> > time will offer...
> > Now we start a branch office with many user so i make a new domain
> > controller (for same central domain) in the branch office for
> > autentication
> > speed and geographics redundance. The lan's have non egual ip addressment
> > but
> > one see each other. I'll correctly set "site and service" applet so pc
> > remote
> > will use remote DC.
> > My question is... i need also a second CA in the branch office ? if not i
> > can have speed problem ? (i don't kon how fast is connection, specifically
> > during working hour).
> >
> > And, if i need a second CA, can install on DC ? (i think have not CPU
> > power
> > problem and no security access problem) and there same particolar
> > procedure
> > to avoid strange situation like pc autentication or PKI process on erratic
> > CA
> > and DC ?
> >
> > Thanks all in advance (and excuse my english.... writing from italy.)
> >
>
>
>

Posted by MarioC on October 25, 2006, 12:26 pm
Please log in for more thread options
: quoted-printable




> ok, so i issue a certificate from central, then crl and aia will found =

> locally trough the local DC because i correctly set "site and service" =

> applet. correct ?
>=20

Correct.

> Perfect.
>=20
> If there is a problem on the line to-from branch office... wht typi =
of=20
> result i can have ? I thnk only problem if i need to rennovate a =
certificate,=20
> so think is better to issue certificate with duration long, something =
like 30=20
> gg and hope 30th day line is ok. Correct ?
>=20

If the line to your branch office goes down nobody could issue or renew =
new certificates. Since CRL and AIA information is stored in your AD =
applications including smart card logon are not affected.

I would suggest to set the certificate life time to about 1 year. You =
can set the renewal interval to about 6-8 weeks before expiration. So =
6-8 weeks before the user's certificate is going to expire Windows XP =
can auto-renew the smartcard logon certificate. A "balloon tip" will pop =
up which informs the user that his certificate has to be renewed. The =
user only has to provide the PIN code to access the smart card.

Mario


> Thanks=20
>=20
> Marco
>=20
>=20
> "MarioC" wrote:
>=20
>> Hi there,
>>=20
>> Since the CA is only used when issueing certificates it would not =
make any=20
>> sense to install a second one in the branch office. All required =
information=20
>> (CRL, AIA) can be found redundant in AD.
>>=20
>> Installing ca CA on a DC is supported. Best practice would be to =
install the=20
>> CA on a dedicated (virtual?) secure machine.
>>=20
>> Mario
>>=20
>>=20
>>=20
>>=20
message=20
>> > Hi all, i have a question:
>> >
>> > i have a PKI infrastructure, with a offline root, an enterprise CA =
and a
>> > domain controller. We use PKI for smart card, email signing and =
what=20
>> > future
>> > time will offer...
>> > Now we start a branch office with many user so i make a new domain
>> > controller (for same central domain) in the branch office for=20
>> > autentication
>> > speed and geographics redundance. The lan's have non egual ip =
addressment=20
>> > but
>> > one see each other. I'll correctly set "site and service" applet so =
pc=20
>> > remote
>> > will use remote DC.
>> > My question is... i need also a second CA in the branch office ? if =
not i
>> > can have speed problem ? (i don't kon how fast is connection, =
specifically
>> > during working hour).
>> >
>> > And, if i need a second CA, can install on DC ? (i think have not =
CPU=20
>> > power
>> > problem and no security access problem) and there same particolar=20
>> > procedure
>> > to avoid strange situation like pc autentication or PKI process on =
erratic=20
>> > CA
>> > and DC ?
>> >
>> > Thanks all in advance (and excuse my english.... writing from =
italy.)
>> >=20
>>=20
>>=20
>>
------=_NextPart_000_000A_01C6F863.09C31B30
Content-Type: text/html;
        charset="Utf-8"
Content-Transfer-Encoding: quoted-printable

=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>"Marco Tonoli" &lt;</FONT><A=20

size=3D2>MarcoTonoli@discussions.microsoft.com</FONT></A><FONT =
face=3DArial=20
size=3D2>&gt; wrote in message </FONT><A=20
face=3DArial=20
A><FONT=20
face=3DArial size=3D2>...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>&gt; ok, so i issue a certificate from =
central,=20
then crl and aia will found <BR>&gt; locally trough the local DC because =
i=20
correctly set "site and service" <BR>&gt; applet. correct ?<BR>&gt;=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2>Correct.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT><BR><FONT face=3DArial =
size=3D2>&gt;=20
Perfect.<BR>&gt; <BR>&gt; If there is a problem on the line to-from =
branch=20
office...&nbsp; wht typi of <BR>&gt; result i can have ? I thnk only =
problem if=20
i need to rennovate a certificate, <BR>&gt; so think is better to issue=20
certificate with duration long, something like 30 <BR>&gt; gg and hope =
30th day=20
line is ok. Correct ?<BR>&gt; </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2>If the line to your =
branch office=20
goes down nobody could issue or renew&nbsp;new certificates. Since CRL =
and AIA=20
information is stored in your AD applications including smart card logon =
are not=20
affected.</FONT></DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2>I would suggest to set =
the=20
certificate life time to about 1 year. You can set the renewal interval =
to about=20
6-8 weeks before expiration. So 6-8 weeks before the user's certificate =
is going=20
to expire Windows XP can auto-renew the smartcard logon certificate. A =
"balloon=20
tip" will pop up which informs the user that his certificate has to be =
renewed.=20
The user only has to provide the PIN code to access the smart =
card.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial color=3D#ff0000 size=3D2>Mario</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT><BR><FONT face=3DArial =
size=3D2>&gt; Thanks=20
<BR>&gt; <BR>&gt; Marco<BR>&gt; <BR>&gt; <BR>&gt; "MarioC" =
wrote:<BR>&gt;=20
<BR>&gt;&gt; Hi there,<BR>&gt;&gt; <BR>&gt;&gt; Since the CA is only =
used when=20
issueing certificates it would not make any <BR>&gt;&gt; sense to =
install a=20
second one in the branch office. All required information <BR>&gt;&gt; =
(CRL,=20
AIA) can be found redundant in AD.<BR>&gt;&gt; <BR>&gt;&gt; Installing =
ca CA on=20
a DC is supported. Best practice would be to install the <BR>&gt;&gt; CA =
on a=20
dedicated (virtual?) secure machine.<BR>&gt;&gt; <BR>&gt;&gt; =
Mario<BR>&gt;&gt;=20
<BR>&gt;&gt; <BR>&gt;&gt; <BR>&gt;&gt; <BR>&gt;&gt; "Marco Tonoli" =
&lt;</FONT><A=20

size=3D2>MarcoTonoli@discussions.microsoft.com</FONT></A><FONT =
face=3DArial=20
size=3D2>&gt; wrote in message <BR>&gt;&gt; </FONT><A=20
face=3DArial=20
A><FONT=20
face=3DArial size=3D2>...<BR>&gt;&gt; &gt; Hi all, i have a =
question:<BR>&gt;&gt;=20
&gt;<BR>&gt;&gt; &gt; i have a PKI infrastructure, with a offline =
root,&nbsp; an=20
enterprise CA and a<BR>&gt;&gt; &gt; domain controller. We use PKI for =
smart=20
card, email signing and what <BR>&gt;&gt; &gt; future<BR>&gt;&gt; &gt; =
time will=20
offer...<BR>&gt;&gt; &gt; Now we start a branch office with many user so =
i make=20
a new domain<BR>&gt;&gt; &gt; controller (for same central domain) in =
the branch=20
office for <BR>&gt;&gt; &gt; autentication<BR>&gt;&gt; &gt; speed and=20
geographics redundance. The lan's have non egual ip addressment =
<BR>&gt;&gt;=20
&gt; but<BR>&gt;&gt; &gt; one see each other. I'll correctly set "site =
and=20
service" applet so pc <BR>&gt;&gt; &gt; remote<BR>&gt;&gt; &gt; will use =
remote=20
DC.<BR>&gt;&gt; &gt; My question is... i need also a second CA in the =
branch=20
office ? if not i<BR>&gt;&gt; &gt; can have speed problem ? (i don't kon =
how=20
fast is connection, specifically<BR>&gt;&gt; &gt; during working=20
hour).<BR>&gt;&gt; &gt;<BR>&gt;&gt; &gt; And, if i need a second CA, can =
install=20
on DC ? (i think have not CPU <BR>&gt;&gt; &gt; power<BR>&gt;&gt; &gt; =
problem=20
and no security access problem) and there same particolar <BR>&gt;&gt; =
&gt;=20
procedure<BR>&gt;&gt; &gt; to avoid strange situation like pc =
autentication or=20
PKI process on erratic <BR>&gt;&gt; &gt; CA<BR>&gt;&gt; &gt; and DC=20
?<BR>&gt;&gt; &gt;<BR>&gt;&gt; &gt; Thanks all in advance (and excuse my =

english.... writing from italy.)<BR>&gt;&gt; &gt; <BR>&gt;&gt; =
<BR>&gt;&gt;=20
<BR>&gt;&gt;</FONT></DIV></BODY></HTML>

------=
Posted by Marco Tonoli on October 25, 2006, 1:16 pm
Please log in for more thread options
Thanks Mario, you help was very useful.

Marco

"MarioC" wrote:

>
>
>
> > ok, so i issue a certificate from central, then crl and aia will found
> > locally trough the local DC because i correctly set "site and service"
> > applet. correct ?
> >
>
> Correct.
>
> > Perfect.
> >
> > If there is a problem on the line to-from branch office... wht typi of
> > result i can have ? I thnk only problem if i need to rennovate a
certificate,
> > so think is better to issue certificate with duration long, something like
30
> > gg and hope 30th day line is ok. Correct ?
> >
>
> If the line to your branch office goes down nobody could issue or renew new
certificates. Since CRL and AIA information is stored in your AD applications
including smart card logon are not affected.
>
> I would suggest to set the certificate life time to about 1 year. You can set
the renewal interval to about 6-8 weeks before expiration. So 6-8 weeks before
the user's certificate is going to expire Windows XP can auto-renew the
smartcard logon certificate. A "balloon tip" will pop up which informs the user
that his certificate has to be renewed. The user only has to provide the PIN
code to access the smart card.
>
> Mario
>
>
> > Thanks
> >
> > Marco
> >
> >
> > "MarioC" wrote:
> >
> >> Hi there,
> >>
> >> Since the CA is only used when issueing certificates it would not make any
> >> sense to install a second one in the branch office. All required
information
> >> (CRL, AIA) can be found redundant in AD.
> >>
> >> Installing ca CA on a DC is supported. Best practice would be to install
the
> >> CA on a dedicated (virtual?) secure machine.
> >>
> >> Mario
> >>
> >>
> >>
> >>
> >> > Hi all, i have a question:
> >> >
> >> > i have a PKI infrastructure, with a offline root, an enterprise CA and a
> >> > domain controller. We use PKI for smart card, email signing and what
> >> > future
> >> > time will offer...
> >> > Now we start a branch office with many user so i make a new domain
> >> > controller (for same central domain) in the branch office for
> >> > autentication
> >> > speed and geographics redundance. The lan's have non egual ip addressment
> >> > but
> >> > one see each other. I'll correctly set "site and service" applet so pc
> >> > remote
> >> > will use remote DC.
> >> > My question is... i need also a second CA in the branch office ? if not i
> >> > can have speed problem ? (i don't kon how fast is connection, specifically
> >> > during working hour).
> >> >
> >> > And, if i need a second CA, can install on DC ? (i think have not CPU
> >> > power
> >> > problem and no security access problem) and there same particolar
> >> > procedure
> >> > to avoid strange situation like pc autentication or PKI process on
erratic
> >> > CA
> >> > and DC ?
> >> >
> >> > Thanks all in advance (and excuse my english.... writing from italy.)
> >> >
> >>
> >>
> >>

Similar ThreadsPosted
Publish the cross-certificates? July 25, 2008, 8:09 am
Share permissions - cross-domain May 1, 2006, 11:47 am
Point and Print in a Cross-Forest World July 27, 2006, 3:42 pm
Question regarding PKI architecture with cross domain trusts. September 17, 2007, 2:48 pm
Windows 2008 AD cross realm trust with MIT Kerberos realm August 1, 2008, 10:31 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap