Click here to get back home

setting up 2-Tier CA Environment
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
setting up 2-Tier CA Environment Jaye 07-14-2005
Posted by Jaye on July 14, 2005, 3:36 pm
Please log in for more thread options
 Hello,

I am implementing a Windows Server 2003 2-Tier CA environment but am having
trouble finding good documentation on how to do it. I would like to be able
to set this all up without having to become a CA expert! I downloaded
several documents from Microsoft, including their Best Practices document.
The Best Practices looks good but it only explains a 3-Tier environment. It
will say things in it about "You don't need this step for a 1-Tier" but it
says nothing about 2-Tiers. With that document, do I just combine the
Offline Root and Offline Intermediate Servers in to one and follow the same
directions only on one server? Is there another source out there that
anyone knows of for 2-Tiers?

Thank you,

~Jaye




Posted by S. Pidgorny on July 16, 2005, 9:35 pm
Please log in for more thread options
 Jaye,

This is a common sense thing: install root CA, sign the subordinate CA key,
backup, turn off, lock forever. Then use the subordinate CA to do the job.

Any difficulties - ask back in the newsgroup


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Hello,
>
> I am implementing a Windows Server 2003 2-Tier CA environment but am
having
> trouble finding good documentation on how to do it. I would like to be
able
> to set this all up without having to become a CA expert! I downloaded
> several documents from Microsoft, including their Best Practices document.
> The Best Practices looks good but it only explains a 3-Tier environment.
It
> will say things in it about "You don't need this step for a 1-Tier" but it
> says nothing about 2-Tiers. With that document, do I just combine the
> Offline Root and Offline Intermediate Servers in to one and follow the
same
> directions only on one server? Is there another source out there that
> anyone knows of for 2-Tiers?
>
> Thank you,
>
> ~Jaye
>
>




Posted by Brian Komar on July 16, 2005, 7:12 pm
Please log in for more thread options
says...
> Jaye,
>
> This is a common sense thing: install root CA, sign the subordinate CA key,
> backup, turn off, lock forever. Then use the subordinate CA to do the job.
>
> Any difficulties - ask back in the newsgroup
>
>
>
Do remember to turn on the root periodically to:
- update the base CRL for the root CA
- Issue new subordinate CA certificates
- Renew the root CA certificate
- Renew the subordinate CA(s) certificate(s)
- Revoke a subordinate CA certificate (hopefully never)

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian


Similar ThreadsPosted
Certs in non-domain environment: January 24, 2008, 12:51 pm
Mixed environment - encryption. July 20, 2008, 2:59 pm
PKI in multi sites/domains environment December 10, 2007, 12:29 pm
Fine-grained Entitlement Management in SOA Microsoft Environment September 26, 2007, 9:53 pm
machine password expiration in the 2003 domain environment April 14, 2008, 10:57 am
Viewing CMOS\BIOS settings in MS Server 2003 GUI environment June 3, 2006, 3:14 am
Windows Vista Group Policies in a Server 2003 SP1 Domain environment May 11, 2007, 9:21 am
Setting up IIS 6.0 tutorial February 21, 2006, 4:38 pm
Setting Audit from CLI March 6, 2007, 8:42 pm
Setting up LDAPS July 11, 2007, 2:41 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap