Click here to get back home

two CA certificates for IPSec or something...
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
two CA certificates for IPSec or something... Ondrej Sevecek 09-17-2005
Posted by Ondrej Sevecek on September 17, 2005, 3:58 pm
Please log in for more thread options
 is it possible to have more then one CA signing certificate on one
enterprise CA?

Or how to achieve this: to have two separate groups of computers using IPSec
where one group enrolls automatically, the other manually or with approval.
This should allow for restrictive and less restrictive IPSec filter rule
sets on a server.

O.




Posted by Brian Komar [MVP] on September 17, 2005, 9:41 am
Please log in for more thread options
 Answers inline:
<ondra at my_surname dot com> says...
> is it possible to have more then one CA signing certificate on one
> enterprise CA?
No, the Microsoft CA will have a single, valid signing certificate for
the issuance of new certificates. It is possible that after the renewal
of a CA certificate, that two or more CA certificates will exist and me
time valid, but only the active certificate is used to sign new
requests. The previous certificates will be used to sign CRLs associated
with that certificate.

>
> Or how to achieve this: to have two separate groups of computers using IPSec
> where one group enrolls automatically, the other manually or with approval.
> This should allow for restrictive and less restrictive IPSec filter rule
> sets on a server.
>

You could use two certificate templates to accomplish this, but if you
are applying different IPSec filters, the authentication can only
indicate *which* root CA the chain is rooted.

> O.
>
>
>


Posted by Ondrej Sevecek on September 17, 2005, 5:38 pm
Please log in for more thread options
> You could use two certificate templates to accomplish this, but if you
> are applying different IPSec filters, the authentication can only
> indicate *which* root CA the chain is rooted.

..... and when I would use two templates, how to distinguish them in the
filter rules?


O.





Posted by Brian Komar [MVP] on September 17, 2005, 4:44 pm
Please log in for more thread options
<ondra at my_surname dot com> says...
> > You could use two certificate templates to accomplish this, but if you
> > are applying different IPSec filters, the authentication can only
> > indicate *which* root CA the chain is rooted.
>
> .... and when I would use two templates, how to distinguish them in the
> filter rules?
>
>
> O.
>
>
>
>
This is the issue, the certificate templates would still chain to CAs
that chain to the same root.
Is there any other criteria that you could use, other than the
authentication to isolate?
Brian


Posted by Ondrej Sevecek on September 18, 2005, 10:57 am
Please log in for more thread options
I cannot imagine one. I would like the isolation to occure on another bases
than IP, so I think, the authentication is the only solution.
Installation of subordinate CA would require strict security on the machine,
so we probably will install standalone subordinate on a separate server that
will be used to only this purpose.

O.


> <ondra at my_surname dot com> says...
>> > You could use two certificate templates to accomplish this, but if you
>> > are applying different IPSec filters, the authentication can only
>> > indicate *which* root CA the chain is rooted.
>>
>> .... and when I would use two templates, how to distinguish them in the
>> filter rules?
>>
>>
>> O.
>>
>>
>>
>>
> This is the issue, the certificate templates would still chain to CAs
> that chain to the same root.
> Is there any other criteria that you could use, other than the
> authentication to isolate?
> Brian




Similar ThreadsPosted
two CA certificates for IPSec or something... February 16, 2007, 1:57 pm
IPSEC policies using third party certificates June 9, 2005, 9:23 am
getting IPSec Certificates for VPN access for non domain members January 5, 2007, 11:03 am
Certificates April 5, 2007, 5:38 pm
Certificates are not published October 17, 2005, 3:31 pm
Certificates 802.1X Auth. November 21, 2005, 11:07 am
Removing CA certificates. December 22, 2005, 3:50 pm
Need some information about certificates March 9, 2006, 5:54 pm
EFS Certificates in AD 2003 June 30, 2006, 12:07 pm
Self Signed Certificates? September 28, 2006, 12:29 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap