PKI structure changes

PKI structure changes
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
PKI structure changes C. Brice 12-28-2007
Posted by =?Utf-8?B?Qy4gQnJpY2U=?= on December 28, 2007, 11:57 am
If you were  Registered and logged in, you could reply and use other advanced thread options
We've currently got a 1-tier PKI setup with an enterprise-root CA. I'd like
to move to a 3-tier - offline standalone root, offline standalone policy, and
an enterprise issuing. I can't find any docs to explain how to get there.

Do I need to tear down the existing to bring up the new one, or can they
exist side by side?

C. Brice

Posted by Brian Komar on December 28, 2007, 7:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I would say the best way is to deploy the new, only keep the enterprise root
CA around for revocation and publication of CRLs.
WHen its last certificate expires, wrip it out <G>
Brian

> We've currently got a 1-tier PKI setup with an enterprise-root CA. I'd
> like
> to move to a 3-tier - offline standalone root, offline standalone policy,
> and
> an enterprise issuing. I can't find any docs to explain how to get there.
>
> Do I need to tear down the existing to bring up the new one, or can they
> exist side by side?
>
> C. Brice


Posted by =?Utf-8?B?ZGpwYXluZXNy?= on January 2, 2008, 1:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I agree with Brian. They shouldn't interfere with each other operationally as
they will both be trusted by the domain. When the new PKI infrastructure is
up and running and the certificates have been distributed the old PKI
infrastructure can be removed. As long as the objects (users, computers,
etc.) have a trusted certificate associated with them or in their local
certificate store, communication won't be affected.

However, I would definitely try this out in a lab environment before
deployment to ensure that I am completely familiar with the depolyment, error
correction and recovery and proof of concept. The lab doesn't have to be
anything fancy, a few servers, workstations and users would work. It can even
be done in a virtual environment if resources are limited.



Similar ThreadsPosted
Same Subnet structure March 3, 2006, 11:51 am
Protecting folder-structure against accidental alteration March 23, 2007, 1:16 pm
PKI CRL LDAP location exposes infos about internal DS structure to external customers March 8, 2008, 8:02 am

The site map in XML format XML site map

Contact Us | Privacy Policy